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Abstract —Access control is fundamental to computer security, 
and has thus heen the subject of extensive formal study. In 
particular, relative expressiveness analysis techniques have used 
formal mappings called simulations to explore whether one 
access control system is capable of emulating another, thereby 
comparing the expressive power of these systems. Unfortunately, 
the notions of expressiveness simulation that have been explored 
vary widely, which makes it difficult to compare results in the 
literature, and even leads to apparent contradictions between 
results. Furthermore, some notions of expressiveness simulation 
make use of non-determinism, and thus cannot be used to define 
mappings between access control systems that are useful in 
practical scenarios. In this work, we define the minimum set 
of properties for an implementable access control simulation; 
i.e., a deterministic “recipe” for using one system in place of 
another. We then define a wide range of properties spread 
across several dimensions that can be enforced on top of this 
minimum definition. These properties define a taxonomy that 
can be used to separate and compare existing notions of access 
control simulation, many of which were previously Incomparable. 
We position existing notions of simulation within our properties 
lattice by formally proving each simulation’s equivalence to a 
corresponding set of properties. Lastly, we take steps towards 
bridging the gap between theory and practice by exploring 
the systems implications of points within our properties lattice. 
This shows that relative expressive analysis is more than just a 
theoretical tool, and can also guide the choice of the most suitable 
access control system for a specific application or scenario. 

I. Introduction 

Access control is foundational to computer security and, 
as such, has been the topic of extensive formal study. Much 
of this work has focused on comparing different techniques 
for representing and enforcing access control, deemed access 
control models, systems, or schemes. By far the most common 
type of comparative study in access control techniques is the 
expressiveness simulation (e.g., |[T)-||14|). A simulation is a 
formal mapping from, say, system S to system T that proves 
T is at least as expressive as S: that is, T possesses the raw 
capability to be used in operating environments in place of S. 

However, the formal dehnitions of the various simulations 
used in the literature vary widely. Different simulations have 
been used to prove various types of results, ranging from 
very specific properties about whole ranges of models (e.g., 
monotonic access control models with multi-parent creation 


cannot be simulated by monotonic models with only single¬ 
parent creation Q) to the ability to replace certain specific 
models with others in practice (e.g., role-based access control 
can be configured to enforce mandatory and discretionary 
policies Q). However, this disparity in the goals of these 
works has led to many different dehnitions of access control 
simulation, often tailored to the particular result sought. It 
has been shown that these different simulations prove wildly 
different notions of expressiveness, often not preserving any 
particular security properties O- 

Furthermore, not all of these notions of simulation are 
practically useful. For instance, some make use of non¬ 
determinism, manipulating the policy differently depending 
on what future queries will be asked. While this may allow 
a theorist to show that system T is capable of doing all the 
things S is, if a practitioner wants to use system T in place 
of system S, she needs a deterministic procedure for doing so. 

In this work, we build a taxonomy for expressiveness 
simulations based on the simulation properties that they satisfy. 
We determine the minimum requirements for a mapping to 
be implementable, or applicable toward using one system in 
place of another in practice. We use these requirements to 
construct a general dehnition of implementable simulation, and 
provide a taxonomy of additional restrictions on this dehnition 
for simulations that enforce more stringent properties. We then 
position existing simulations from the literature within this 
lattice, providing the hrst such comparison in the literature. 

To this end, we make the following contributions. 

Definition of implementable access control simulation We 
propose a general dehnition of an implementable access control 
mapping that is broad enough to encompass much of the wide 
range of existing access control simulations, yet precise enough 
to guarantee implementability. Intuitively, an implementable 
simulation of 5 in T shows that T can accomplish everything 
S can, and deterministically shows how (Section [nl] l. 

Lattice of simulation properties We decompose and expand 
upon the properties enforced by various access control simula¬ 
tions from the literature, forming a lattice relating the range 
of access control simulations to one another. This lattice 
allows us to formally compare the guarantees offered by 


existing notions of access control simulation (many of which 
were not formerly known to be comparable) and points to 
unexplored combinations of properties that can yield different 
expressiveness results (Section |IV| i. 

Positioning of existing simulations We construct formal 
proofs positioning existing notions of access control simu¬ 
lation within our lattice of simulation properties, including a 
comparative discussion of simulations that previously seemed 
incomparable. We thus systematize the formal relationships be¬ 
tween previously-published simulations, allowing reconciliation 
of previously disparate expressiveness knowledge (Section |V]). 
Selecting simulation properties We observe that many of the 
dimensions upon which our simulation property lattice is built 
have implications for the use of simulations for satisfying real- 
world requirements using existing access control systems (e.g., 
required storage, whether data structures must be locked for 
concurrent usage). Thus, in addition to positioning existing 
notions of simulation within our lattice of properties, we 
assist in creating new notions of simulation by selecting 
the properties that should be enforced in an expressiveness 
analysis based upon the scenario in which an eventual access 
control deployment will occur. To this end, we discuss in detail 
various interactions between simulation properties, the results 
of enforcing different properties, and how a specific deployment 
scenario dictates which properties are relevant (Section |VI| l. 

We begin by providing background on the goals of and 
techniques used in relative expressiveness analysis. 

II. Relative Expressiveness Analysis 

In this section, we describe how relative expressiveness 
analysis is conducted, survey the history of the technique, 
and point out the wide variety in existing access control 
expressiveness simulations. 

A. Motivating Examples 

An access control system’s expressiveness (or expressive 
power) is a measure of the range of policies that it can 
represent and the transformations it can make to those policies. 
Statements of relative expressiveness state that one system 
is capable of replacing another (that is, it can represent all 
the same policies and transform them in equivalent ways). 
Assume, for instance, that an organization is considering 
transitioning from one access control solution to another, in 
order to accommodate evolving requirements. The organization 
may have specific desired features for this new access control 
system, but it certainly must be able to represent all of the 
policies that the existing system can, or it would not be a 
suitable replacement. Thus, this organization is searching for 
a new system that is at least as expressive as its old system. 

Another use of relative expressiveness is in suitability 
analysis. Prior work has noted that practically evaluating an 
access control system must take into account the application 
in which the system is to be used, as well as additional 
cost metrics (e.g., computation, ease of use). This analysis 
problem has been identified as a system’s suitability to a 
particular application Hg, 0. Suitability analysis formalizes 


an application’s access control requirements (a workload), and 
uses expressiveness to prove that an access control system 
can satisfy those requirements. Assume, in this case, that 
the aforementioned organization is choosing an initial access 
control system for a new collection of data. Comparing the 
candidates’ relative expressiveness is not particularly enlight¬ 
ening, since the most expressive system may not be the most 
suitable; the organization should instead formalize their access 
control workload and use relative expressiveness analysis to 
identify which of the candidates are expressive enough to satisfy 
this workload. Thus, while work in suitability analysis has 
shown that expressive power alone is insufficient for evaluating 
an access control system, expressiveness is a fundamentally 
important component of a more general suitability analysis 
workflow: one cannot determine which access control system 
is best for a particular use case without first determining which 
are capable of satisfying that use case. 

B. Prior Work 

Relative expressiveness analysis generally starts by formal¬ 
izing a pair of access control systems as state machines. These 
state machines include, at a minimum: a set of states, each of 
which encapsulates a snapshot of the access control system’s 
data structures; a procedure describing how to interpret the 
states’ data structures to determine which authorization requests 
are granted; and a set of commands, used to manipulate the data 
structures and thus transition between states. Some formalisms 
for access control systems also include additional queries 
beyond access requests ]13| , IE)- A simulation, then, is a 
structure that proves T is at least as expressive as S —or, that 
T can be used in place of S. The term simulation is rather 
vague, here, and for good reason: various notions of simulation 
in the literature have meant very different things (e.g.. What 
type of behavior must be simulated? How closely must T 
represent the information in SI), and as a result have implied 
very different types of expressiveness results. 

The works of Sandhu, Ganta, Munawer, and Osborn 
0-II9I include some of the earliest access control simulations. 
In these works, a simulation of 5 in T must show that a 
permission can be granted in S if and only if it can also be 
granted in T- No other formal properties are enforced, though 
in some cases additional properties become part of the de 
facto definition of simulation. For instance, while there is no 
requirement for T to have a state equivalent to each S state 
(merely for T to be able to grant each access that S does, 
in some state), the example simulations all include methods 
for mapping each S state to a T state (as this is the simplest 
way to show the required property). In addition, although the 
definition does not prohibit the use of an unbounded number 
of T commands to simulate a single S command, Sandhu and 
Munawer 0 only use simulations in which an S command is 
simulated using a constant number of T commands. 

Ganta’s PhD dissertation 0 attempts to formalize a more 
rigorous notion of expressiveness simulation. In his simulation, 
the state correspondence is explicit, requiring that each state 
in S have a corresponding state in T that grants all the same 


accesses (at least, all those that exist in S —those that exist in 
T but not in S are unconstrained). In addition, to ensure that 
T cannot grant accesses that S cannot, any state that can be 
entered in T must also have a corresponding reachable state in 
S. Finally, to ensure accesses in T cannot be combined in ways 
that cannot occur in S, the following restriction is made: when 
simulating a T command in S, multiple commands may be 
used, but each state along the way must allow either a subset 
of the accesses of the start state or a subset of the accesses 
of the end state. Thus, no two accesses can be allowed in the 
same state in T that are not allowed in a single state in S. 

Ammann, Lipton, and Sandhu took a different (and 

much more strict) approach to more rigorously defining a 
simulation. First, they describe a strict state correspondence 
that requires T to represent its states with the same sets and 
relations as S, and for these sets to have identical contents 
in corresponding T and S states. In other words, T cannot 
include additional elements in any sets that S uses (although 
additional, distinct sets may be stored). For example, one could 
simulate the state {U — {a, &},F = {c}} with state {U = 
{a,h},V = {c},W = {{a,d), {b,d)}}, but not with {U = 
{a, b}, V = {c, d}}. Given this notion of state correspondence, 
a simulation then shows that T can reach a state corresponding 
to each reachable S state, and cannot reach any state that does 
not have a reachable corresponding state in S. This strict notion 
of simulation is used to show that monotonic, multi-parent 
systems are more expressive than monotonic, single-parent 
systems (e.g., there are monotonic multi-parent systems that 
cannot be simulated by any monotonic single-parent system). 

Chander, Dean, and Mitchell 113 restrict the definition of 
simulation in a different way. Rather than force a more strict 
state correspondence (the static portion of the simulation), they 
more tightly restrict the way the simulation handles the system 
as it executes (i.e., the command mapping). In these simulations, 
the state correspondence is comparatively lax: to simulate an S 
state, a T state must allow and deny all the same authorization 
requests as its corresponding S state. Additional requests can 
exist in T and are unconstrained, but all requests corresponding 
to those in S must have the same value in corresponding states. 
However, the process for simulating an S command using T 
commands must be independent of the state: it cannot execute a 
T command for each user, or otherwise inspect the state when 
determining what commands should be executed. In addition, 
in the strong form of simulation, each S command must be 
simulated with a single T command. They then compare the 
expressiveness of access control lists, trust management, and 
two forms of capability systems (all systems studied in forms 
with and without revocation and delegation). 

Tripunitara and Li fT^ , p3) noted that the existing notions 
of simulation did not correspond directly to any particular 
safety analysis questions, and thus a simulation of any of 
these types does not make any particular safety guarantees. 
They formalize compositional security analysis (intuitively, 
determining whether a certain set of access control queries 
will always, never, or sometimes become tme in any reachable 
state), which is a generalization of simple safety analysis GZl- 


They then present a notion of simulation tailor-made to preserve 
these types of analysis questions. 

Their simulation, called the state-matching reduction, consid¬ 
ers a broader range of queries than only authorization requests, 
placing the strictness of its state correspondence somewhere 
between the work of Ammann, Lipton, and Sandhu and that 
of Chander, Dean, and Mitchell. The state-matching reduction 
maps each query in 5 to a single query q'^ in T, and the 
simulation must determine the value of q'^ in any state in T 
by checking the value of q^. Finally, reachability constraints 
ensure that T can reach a state corresponding to each reachable 
S state, and cannot reach any state that does not have a 
reachable corresponding state in S. Tripunitara and Li prove 
that this notion of simulation preserves compositional security 
analysis instances: that is, if there exists a state-matching 
reduction from S to T, then any compositional security analysis 
instance has the same truth value in both systems. Tripunitara 
and Li’s reductions have since been used to analyze role-based 
access control p8) and prove that newly-proposed systems are 
more expressive than certain existing systems p^ . 

Work by Hinrichs et al. p4| recognizes the value of the 
state-matching reduction but claims that, in practice, not all 
scenarios require the preservation of all possible compositional 
security analysis instances (nor are these the only types of safety 
properties that are ever relevant). They present parameterized 
expressiveness, which defines a baseline set of simulation 
properties, and provides several additional properties that can be 
enforced atop the baseline to provide additional guarantees. The 
base simulation uses the same query-based state correspondence 
as Tripunitara and Li, but relaxes the query mapping to allow 
it to consult multiple T queries to determine the value of 
an S query during simulation. Further properties enforced 
above this baseline include using the identity query mapping 
for authorization requests (to ensure that T’s authorization 
questions are the queries being used to simulate S’s autho¬ 
rization requests), forbidding string manipulations (to prohibit 
the state mapping from using arbitrary encodings to store 
information in the contents of strings such as user names), 
and restricting the command mapping from mapping non- 
administrative commands in S to administrative commands 
in T. This framework has since been used to evaluate the 
suitability of certain general-purpose access control systems 
for various unique, application-specific requirements (ig,®. 

C. Usage and Implications 

Unfortunately, there are several indications that research on 
expressiveness analysis is being held back by the inability 
to reconcile the vastly different notions of expressiveness 
simulations and the disconnect between the properties preserved 
by a simulation and those that are important to a practical de¬ 
ployment. Several works have demonstrated scenarios in which 
static notions of expressiveness indicate two systems are equally 
capable of satisfying a set of operational requirements, but 
in practice they are better-suited to very different deployment 
scenarios |Tg, Bourdier et al. point out the existence 
of several competing techniques for expressiveness analysis. 


none of which consider the deployment. They approach one 
facet of this problem by proposing a formalism for access 
control systems that can more easily be transformed into 
implementations using rewrite-based tools ID- Several others 
simply express a desire to use expressiveness analysis, but 
never do so, presumably due to the complexities of selecting 
and using the right notion of simulation |22|, | |23| . 

A group at the National Institute of Standards and Technol¬ 
ogy has developed Policy Machine, an attempt at a universal 
access control system (one that can represent any policy 
via only conhguration changes) ID- However, in evaluating 
Policy Machine’s success, they avoid formally proving its 
expressiveness and instead show informal mappings that 
demonstrate how one might use Policy Machine to represent 
several existing access control systems’ policies |25| . Soon 
after, the group published a report bemoaning the lack of 
quality metrics for evaluating access control systems, noting 
that, in access control, “one size does not ht all,” and thus said 
metrics must consider the deployment scenario p6) . 

This overview illustrates that while each notion of expres¬ 
siveness simulation has been used to prove various results, 
the body of knowledge is troublesome to interpret and utilize 
due to the wide variation in the properties reqnired by each 
simulation. In this work, we fill this void in the literature 
by (1) proposing a minimal definition of simulation that 
satishes properties guaranteeing that its results are practically 
useful; (2) presenting a set of additional properties that 
more strict simulations can enforce; and (3) categorizing the 
above notions of simulation based on the properties that they 
enforce. We make the additional contribution of (4) discussing 
relationships between attributes of a deployment scenario and 
the practical effects of enforcing simulation properties, thus 
assisting analysts in selecting the most relevant properties (and 
therefore conducting the most relevant form of expressiveness 
analysis) for the environment in which an access control system 
will be deployed. 


III. IMPLEMENTABLE EXPRESSIVENESS SIMULATIONS 

In this section, we give requirements for a simulation to be 
implementable and dehne our general formulation of relative 
expressiveness analysis through the lens of implementability. 


A. Implementability Requirements 

In this work, we aim to consider expressiveness simulations 
that are implementable: i.e., practically nseful for making 
decisions about which system is most suitable for a particular 
deployment. Implementability enforces the following intuition; 
if a system T is at least as expressive as S, then one should be 
able to determine a general way to use T in place of S. Thus, 
we define a minimal set of properties for an expressiveness 
mapping to be considered implementable. 

State mapping In order to use T in place of S, it must be 
possible to (uniquely) determine which T state to use in place 
of a particular S state. Thus, the state mapping must be a 


function from the simulated system states to the simulating 
system statesj^ 

Command mapping To use T in place of S, it must be 
possible to execute commands in T that are equivalent to 
the commands in S. It is not necessarily the case that each 
S command can be simulated using a single T command, so 
we require a function from S commands to sequences of T 
commands|^Finally, it may be necessary to map an S command 
differently depending upon the state in which it is intended to 
be executed. Since using T in place of S means we only have 
a T state to inspect during execution, this function should map 
an S command and a T state to a sequence of T commands. 
Query decider For some simulations of S in T, we may only 
care that T allows the same set of accesses that S would. 
However some types of simulations may allow the overriding 
of T’s default method of deciding granted permissions (e.g., 
adding the additional requirement that the requesting user is a 
member of the real_users group, to distinguish from other 
data stored in the user-set). While some types of simulations do 
not allow this, to remain general we simply require a function 
that maps each S query and T state to either true or false. 
In some formalisms, this only includes the queries requesting 
access, while in other cases other types of queries are allowed 
(e.g., “Is user u a member of role r?”). 

We use these requirements to motivate our dehnition of the 
general case of implementable relative expressiveness. 

B. Expressiveness Mappings 

To define relative expressiveness mappings, we must first 
dehne the state machines that represent access control systems. 
Since we aim to compare existing expressiveness simulations, 
we use a formalism for these structures that remains similar to 
existing work, e.g., 0, ID’ ID- 

An access control system is formalized as a state machine 
belonging to a particular access control model. An access 
control model formalizes the way in which the access control 
system will store and interpret information to make access 
control decisions. Its data structures are formalized as a set of 
access control states, and its methods for determining whether 
to allow or deny inquiries as a set of authorization requests. 
The value of all requests in a state (whether they are allowed 
or denied) dehnes the access control policy, or theory, to be 
enforced in that state. 

Definition 1 An access control model is defined as A4 = 
(r, TZ), where V is the set of states and TZ is the set of 
authorization requests, where each request r £ TZ is a function 
r —^ {true, false}. The entailment (h) of a request is defined 
as y\- r = r{'y) = TRUE. <} 

*It is possible that multiple states in S can be represented using the same 
state in 7". Thus, we do not require the state mapping to be an injection. 
Furthermore, there may be states in T that are not used to simulate S, and 
thus the state mapping need not be an surjection. 

^Not sets of T commands, as commands may appear multiple times; and 
not bags of T commands, as order matters. 



For example, consider a simple role-based access control 
model whose states are defined over sets U of users, P of 
permissions, and R of roles, as well as the user assignment 
UR C U X R and permission assignment PA C R x P. The 
requests in this model are of the form “Is u authorized for pi” 
which is TRUE if 3r : {u,r) G UR A {r, p) G PA. 

When we refer to the size of a state, we are referring to the 
size of its decomposition into primitive objects (e.g., users and 
roles) and tuples (e.g., entries in a user assignment relation). 

Definition 2 Given an access control model M = (F, TZ) and 
a state 7 S F, the set decomposition of 7 is denoted [ 7 ], and 
refers to the “set of sets” forming 7 , in which 7 is represented 
as being comprised of primitive sets and relations. 0 


Thus, the size of an access control state 7 is defined as 
ItI = EsgM example, if [ 7 ] = {U = = 

{ri,r 2 }, UR = {{ui,ri), (wi,r 2 )}}, then I 7 I = \U\ + |i?| + 
\UR\ = 5. 

An access control system expands on a model by providing 
methods of transforming the current state and additional 
methods of querying the states. These additional queries allow 
the user to ask additional boolean queries of the system, but a 
value of TRUE does not indicate an authorization was granted. 

Definition 3 Given access control model JH = (F, 7Z), an 
access control system within JH is a state transition system, 
S = (F, T'jQ), where T' is the set of commands, where each 
command G is a function F —F, and Q ^ TZ is the 
set of queries, where each query q G Q is a function F -G 
{true,ealse}. 0 


We use the notation next{'y, ip) to denote the state 
resulting from executing ip in y (that is, ipi^)), and 
terminal{'y,ipi oip^) to denote the final state produced by 
repeatedly applying next to the commands ipi,... ,ipn starting 
from state 7 : nextf .. next{"f, ipi ),..., ipn)- 

A system based on the example role-based model must 
define commands to transform the state: e.g., to assign roles 
to users, and assign permissions to roles. Additional queries 
beyond the model’s requests may include those of the form 
“Is user u a member of role r?” 

Next, we define an access control mapping, which maps 
one system to another but does not enforce any simulation 


properties. We define a mapping as motivated in Section III-A 


so that it can represent any implementable expressiveness 
simulation. 


Definition 4 Given two access control systems, S = 
^F-S^ qS'j q- _ Q'^), a mapping/rom S to 

T is a triple of functions a = {aT,cfii,,UQ), where: 

. or : r5 ^ pT 

is the state mapping 

• tr^ : X F^ —>■ ('F^) is the command mapping 

• tq = X F^ —>■ {true, false} is the query decider 


This definition is demonstrated in Fig. [T] Each function 
takes its most general form that satisfies the requirements 
from Section III-A| Thus, the definition remains general (it 
does not enforce any specific security requirements yet), while 



Fig. 1: The general form of an implementable expressiveness 
mapping. 
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ensuring that any such mappings can generate implementable 
procedures for using the simulating system in place of the 
simulated system. 

To demonstrate Definition consider mapping a simple 
access control list system to the role-based system described 
throughout this section. The state mapping can map each ACL 
state to a role-based state in which each user u has a unique 
role Tu, and each user’s role is assigned the permissions from 
the ACL state. The command mapping can map, e.g., “grant 
u access to o” to “assign o to role r„.” The query mapping 
would then map “Can u access o?” to “Is u authorized for o?” 

IV. Expressiveness Simulation Properties 

In this section, we describe the lattice of properties that we 
use to taxonomize access control expressiveness simulations. 

A. Overview of dimensions of properties 

In order for a mapping to be considered a simulation, 
it must enforce additional properties over Definition We 
restrict this definition in a variety of ways. Although no set 
of restrictions can be shown to be the full, correct set for all 
conceivable simulations, there are naturally three categories of 
restrictions to consider for simulations, given their structure 
(a set of three functions): i.e., refinements to each of the state 
correspondence, command mapping, and query decider. We also 
consider restrictions to the reachability constraints required (a 
cross-cutting dimension describing how these functions mnst 
relate to one another). A summary of these dimensions is 
depicted in Fig. 














Our state correspondence uy can be based on any of a 
handful of structural definitions, defined by SC (i.e., what 
elements do we inspect to determine whether two states 
correspond?). Further, SS can limit the amount of storage 
the state correspondence uses (e.g., T must simulate S using 
only a linear amount of additional storage). 

The command mapping can be restricted by C D in what 
state elements it can use to map commands (e.g., whether it can 
inspect arbitrary state elements or only those that are exposed 
via queries). CC considers limiting the time-complexity of 
the command mapping routine. Since the command mapping 
returns a sequence of commands, CS can limit the number of 
commands it can return (e.g., only one, or constant in the size 
of the state). We identify CT, a dimension of concurrency- 
related trace structure restrictions, as well as CA, requiring the 
simulation to map S commands executed by certain types of 
users only to T commands executed by that category of users. 

The query decider aq can also be restricted in a number 
of ways. Like the command mapping, we may limit what 
elements of the state the decider can inspect when deciding 
how to answer queries within a specific state (QD), or the time- 
complexity of the routine (QC). In some cases a simulation of 
5 in T may be required to map certain S queries to specific 
related queries in T, most notably authorization requests (e.g., 
to answer whether user u should have permission p in 5, T 
should simply check whether user u has permission p in its 
current T state); this type of restriction is handled in QP. 

Finally, our reachability restrictions R define how these three 
functions relate, by allowing us to parameterize whether we 
require one-way reachability (T must be able to transition to 
states corresponding to all reachable S states) or bidirectional 
reachability (T also cannot transition to states that do not 
correspond to reachable S states). 

The bare minimum set of these simulation properties that 
must be enforced for a mapping to be considered a simulation 
is a notion of state correspondence and a reachability relation. 
We present the definition of implementable expressiveness 
simulation, which refines the mapping by enforcing these 
properties. 

Definition 5 Given two access control systems, S = 
(T^and T = (F^, and a mapping 

a = (err, ctq) from S to T, an implementable expres¬ 
siveness simulation of S in T based on a is defined as 
a' = {aY,cf^,OQ,^,R), where: 

. - C F-^ X is the state correspondence, and V7 S 

r‘ 5,7 - 07(7) 

• R is a reachability restriction 

We define all properties over the expressiveness simulation 
a = {aY,iJ\sj,o'Q,^, R)- Unless otherwise noted, properties 
within a dimension are totally ordered from most to least strict. 


B. State correspondence properties 

As discussed in Section [Ill-B the state correspondence of 
an implementable simulation of 5 in T is a function, ay '■ 


F”^ —> F^ mapping each state in 5 to a state in T. There are 
several ways in which we can restrict this mapping. 

Dimension SC: State correspondence structure 


This dimension of properties restricts the way in which 
corresponding states are structurally similar. All properties 
within this dimension were inspired by state correspondence re¬ 
lations from prior expressiveness simulations; other application- 
specific state correspondence relations are conceivable. 

SCs: Structure-correspondent 
SCq: Query-correspondent 

yS A QSfyS ^ q crQ{q,y'^) = TRUE) 

SCa: Authorization-correspondent 

y^ ^ y'T = \/r G h r trQ(r, y'^) = TRUE) 


ra, 0, 0-0. Query- 
agree on all queries. 


Authorization-correspondent simulations enforce that every 
7 “^ maps to a 7 ^ that agrees on all authorization requests: any 
permission granted/denied in 7 “^ must also be granted/denied 
in 7 ^. Requests that exist in T but not in S are not restricted. 
This type of correspondence is used in | 
correspondence requires that y^ and 7 ' 
not just authorization requests. This type of correspondence is 
used in the expressiveness simulations of 0 , 0 . 

Finally, structure-correspondent simulations require all cor¬ 
responding state elements to be identical. If 7 “^ structure- 
corresponds to 7 ^, then every set in 7 '^ exists in 7 ^, and 
contains all the same elements ( 7 ^ may contain additional sets 
or relations). Thus, if y^ contains sets of users and permissions, 
and a relation between them (a subset of users x permissions) 
specifying accesses, 7 ^ must contain identical sets of users and 
permissions, and an identical set of (user, permission) pairs. 
This notion of state correspondence is used in 0. 

The type of state correspondence used is a central character¬ 
istic of a type of simulation. Enforcing a state correspondence 
that is too weak can allow the simulating system to diverge 
from the simulated system in unexpected ways, while a state 
correspondence that is too strong will cause the simulating 
system to track the simulated system more closely than 
necessary (e.g., by constraining the values of queries that the 
deployment never needs to ask). Thus, choosing a particular 
state correspondence is choosing how closely the simulating 
system must stay to the simulated system. 


Dimension SS: State storage 


An orthogonal class of restrictions that can be placed on the 
state correspondence relation involve its allowed storage. Here, 
we restrict the size of 7 ^ = 07 ( 7 “^) with respect to 7 “^. 

SSI: Linear storage 

3c G K"*", s G : V7 € F*^ : I7I > s => |crr(7)| < c|7| 

SSp: Polynomial storage 

3k G M"*", s G : V7 S : I7I > s => |crr(7)| < |7|^ 

SSex): Unbounded storage No restriction. 






A linear storage simulation says that 7 ^ can grow at most 
linearly with 7 *^, while in a polynomial storage simulation, the 
size of 7 ^ is bounded by a polynomial in the size of 7 “^. The 
most obvious result of enforcing properties within SS is limited 
tmsted storage, but it can also limit iteration over the resulting 
state (e.g., if an action must be taken for each document in the 
simulating system, SSI ensures that this sequence of actions is 
linear in the size of the simulated state). 

C. Command mapping properties 

Recall that the command mapping for an implementable 
simulation (Definition]^ is a function cr^ : x —>■ 

that returns the sequence of T commands needed to simulate 
an S command starting from a particular T state. Thus, it 
allows us to simulate S commands in an active simulation 
using T- We now discuss the ways in which we can restrict 
this mapping. 

Dimension CD: Command mapping dependence 

While Definition maps each S command and T state to 
a sequence of T commands, some previous works use more 
strict command mappings, mapping each S command to a 
sequence of T commands without considering the state m- 
In between these options, we may map each S command and T 
theory, calculating the sequence of T commands by observing 
only the queriable portions of the T state. Command mapping 
dependence thus restricts the information that the command 
mapping can consider about a T state when calculating the 
trace of T commands to execute. 

CDi: Independent command mapping 
3 cr' : —>■ 7) = 

CDt: Theory-dependent command mapping 

3 cr' : X Th{T) —>■ (crip('!/’, 7 ) = o''{yj},Th{'y))) 

CDs: State-dependent command mapping No restriction. 

With independent command simulations, S commands must 
be precompiled to T commands which will work in any 
reachable T state. This is a restriction placed by fTO) . Theory 
dependent command mappings allow limited inspection of the 
T state; this restriction allows the sequence of T commands 
to be determined based only on the theory of the T state: the 
values of all T queries in the state. If two T states answer all 
queries the same way, the same T commands would be used 
in both to simulate an S command. With this restriction, the 
monitor that transforms S inputs into T procedures need not 
be more privileged than users of the access control system, 
since queries are the user’s only API to observe the state. 

Finally, state-dependent command mappings can arbitrarily 
observe the state. This requires a monitor that is privileged 
enough to observe elements of the state that are not queriable, 
and two states that answer all queries identically may simulate 
commands differently depending on unobservable state. 

Dimension CC: Command mapping complexity 


Having considered the inputs available to the command 
mapping, we now consider the time complexity of this mapping. 
Note that this is measured as the increase in time as the state 
grows and thus is meaningless for independent command. 

CCc: Constant command mapping Vi/' G 4''^, the algo¬ 
rithm for cr^(7) = cr3f(i/’,7) has time complexity T{n) € 0 ( 1 ) 

CCI: Linear command mapping Vip G 'k'^, the algorithm 
for < 7 ^( 7 ) = cr^('0,7) has time complexity T(n) G 0(n) 

CCcxj: Unbounded command mapping No restriction. 

Constant command simulations do not allow more processing 
time for bigger states. Thus, the command mapping cannot 
loop over sets within the state. With linear command, the 
command mapping can take time linear in the size of the state, 
e.g., looping over sets in the state, but cannot contain double 
loops over sets, sort sets, etc. Finally, unbounded command 
simulations put no limit on the complexity of the command 
mapping (though we may expect it to have to be tractable, e.g., 
poly-time). 

Dimension CS: Command mapping stuttering 

Since the command mapping maps an S state to a sequence 
of T states, we may restrict the number of commands that can 
be used to simulate a single S command. 

CSl: Lock-step V'0 G 'k ‘^,7 G F’^ : |tT^(^, 7 )| < I 

CSc: Constant step 3 c : Vi/; G 4 '“^,7 G F”^ : |(t^(i/), 7 )| < c 

CSoo: Unbounded step No restriction. 

A lock-step simulation allows at most one T command for 
each simulated S command. This mitigates concurrency issues 
for multiuser systems, since the system does not pass through 
potentially inconsistent states between command executions. 
Constant step simulations allow multiple commands to be 
used, but only a number constant in the size of the state. Thus, 
multiple actions can be taken, but not, e.g., a command for each 
user in the system. Finally, unbounded step does not restrict 
how many T commands can be executed per S command. 

Dimension CT: Trace structure 

This class of properties enforces structural constraints on the 
traces of commands returned by the command mapping. This 
can address the potentially inconsistent states between start and 
end states in traces generated by the command mapping. Here, 
we present several examples of trace restrictions, using the 
notation terminal('y,'fi, • • • jipj) to denote the end state re¬ 
sulting from executing the sequence of commands tjji, - ■ ■ ,'ipj, 
starting from the state 7 . Note that this dimension of properties 
is not totally ordered. 



Fig. 3 : A graphical representation of semantic lock-step 

CTl: Semantic lock-step 

Vi/> G G r'^,7'^ G r'^.( 

Bi/’ = (V’l, , 'i/'m) 6 * 6 (!,“]•( 

(Tq, {ijj, 7^) — Ip A 
Vi G [l,i).(7® ~ A ^ 

A ~ terminal{-y'^, i/ji ■ ■ - ipj)) A 
Vi G [i,m].(7‘^ ~ A ^ 

next{^^ ^ Ip) ~ terminal{A ^ '^1 ' ' ' V’j)))) 

First, a semantic lock-step simulation can appear to be lock- 
step (i.e., it does not enter any inconsistent states), because 
even though it is allowed to execute multiple T commands to 
simulate a single S command, only one of those commands 
is allowed to make correspondence-related changes. That is, 
consider the sequence of T states constructed by executing 
the sequence of commands <7,1,7^). In semantic lock-step, 
all of these states must correspond to the either the start state 
in S or the end state in S, and once the transition from start 
state to end state is made, the remaining states must all be 
equivalent to the end state. Thus, from the point of view of a 
user who can ask any combination of queries, the simulation 
appears to be lock-step. This restriction is depicted in Fig. 

CTq: Query monotonic 

VV’ Cl ^*'^,7 G , q G Q'^.monotonic{'ip,-y^ q), where: 
monoto7iic{'ip, 'y, q) = 3-0 = (0i, 02 , ■ • ■ , '4’m) € .( 

^7t'(0,7) ^ 0 a 
V i G (1, m).{ 

terminally^ 0i • • • 0^) h g =>■ 

{terminal{y, 0i • • • 0i_i) h g V terminal(y, 0i • • • Tpm) 1“ 9) A 
terminal{y, 0i • • • 0i) F g =>- 

{terminal{'y, 0i • • • 0i_i) F g V terminal{y^ 0i • • • iprn) ^ ^))) 

Consider the start and end states of a trace in T, 7 and 7', 
respectively. Let ( 3 + be the set of queries that become true 
in 7' that were false in 7, and Q~ be the set of queries that 
become false in 7' that were true in 7. During the trace from 
7 to 7', query monotonicity enforces that no queries are made 
true except Q^, and no queries are made false except Q~. 
Thus, from the point of view of a user who can ask only single 
queries, the simulation appears to be lock-step. 

CTa: Access monotonic 

V'i/i S 4''^, 7 € r G .monotonic{tj;, 7 , r) 

Access monotonicity is similar to query monotonicity but 
considering only authorization requests. Let TiA be the set 
of requests that become allowed in 7' that were denied in 
7, and TZ~ be the set of requests that become denied in 7' 
that were allowed in 7. During the trace from 7 to 7', access 


monotonicity enforces that no requests are granted except TiA, 
and no requests are revoked except TZ~. 

CTs: Non-contaminating 

Mtp G 6 r'^.( 

ai/; = {ipi,ip2, ■ ■ ■ ,'0m) 6 
( 7 ^( 0 , 7^) — 'Ip A 

-7— r rj- - ej- .7— "S 

V7i ^ 1 7i I ^ ^ ■ 7i — terminal (7 ^ ip\ ■ • • ipi) >.{ 
Allowed{'y^) C Allowed{'A) V 
Allowed{-y^) C Allowed{terminal{A l'^))))) 

The non-contaminating trace property ensures that no two 
accesses are allowed in the same state that are not both 
allowed in either the start or end state. This prevents, e.g., 
an intermediate state where a file can be accessed by two 
users simultaneously when simulating a command intended to 
switch which user can access the hie. This dehnition uses the 
Allowedipf) notation, indicating the set of all permissions p 
allowed in state 7 (i.e., such that 7 h p). 

Dimension CA: Actor preservation 

Actor preservation properties restrict which users can be 
invoked in T to handle S commands. Here, we assume that 
a{4’) denotes the actor executing the command ■0. Note that 
this requires system support (e.g., the executing actor being 
an implicit argument passed to a command) in order for a 
simulation to be executable. 

CAT: Self-execution G 'I'‘^,7 G G 

CAa: Administration-preservation Let A be the administra¬ 
tive subset of executing entities in the system. G , 7 G 
r'^,V0’^ G (T^(0‘^,7), a{'ip'^) £ A G A 

Self-execution says that any command in S executed by any 
user u must be mapped to a sequence of commands in T, all of 
which are executed by u. Administration-preservation prevents 
the invocation of administrators in T where they were not 
needed in S. In an administration-preserving simulation, any 
command in S executed by a non-administrative user is mapped 
to a sequence of commands in T, none of which is executed 
by an administrator. Other forms of actor preservation, as well 
as dehning the set of administrators, are application-specihc. 

D. Query decider properties 

We defer the bulk of the technical discussion of the query 
decider restrictions to Appendix [A| as they are largely similar to 
the command mapping restrictions. Query decider dependence 
(QD), like command mapping dependence (CD), restricts the 
information that the query decider can consider about a T 
state when deciding the truth value of an S query in that state. 
Query decider complexity (QC) restricts the runtime of the 
routine. 

Query preservation (QP) indicates which queries need to 
stay the same as they are mapped from system S to system T. 
A particular application may require any given set of queries 
to be preserved; the most common property in this dimension 


is authorization preservation, which enforces that the query 
decider maps each S request to the value of the identical 
request in the T state. This can be seen as ensuring that T 
is using its model “as intended” (i.e., forcing it to answer 
simulated requests as it would its own native requests). 

E. Reachability 

Dimension R: Reachability 

The last dimension of properties we consider ties the 
mappings together to ensure the simulation is indeed what 
one could consider a simulation in the classic sense. A state 
correspondence, query decider, and command mapping do not 
automatically define a simulation without reachability con¬ 
straints. Here, we dehne forward and bidirectional reachability, 
two variants of this type of constraint (note that these properties 
are presented in increasing strictness since the latter builds 
upon the former). 

R—Forward reachability 

V7o,7f er^.7j' er^.( 

lo ~ 'To ^'to ^ ^ ^'tT 6 r'^.( 

T • r , S Tss 

7o '->■ 7i A 7i ~ 7i )) 

R-e)-: Bidirectional reachability Forward reachability, and: 

V7o 6 r^.7)r.7r 6r^-( 

Tif ~ T'cT A 7(r ^ iT 37f G r®.( 

7o 7f A 7f ~ 7^)) 

In forward reachability, any transition made in S must be 
possible in T- If 7o corresponds to yj, and 7f can be reached 
from 7^ via the commands of S, then 7f must correspond 
to a state 7^ in T that is reachable from . The notion of 
state correspondence is determined by the property chosen in 
dimension SC. 

Bidirectional reachability (or bi-reachability), also requries 
that T cannot enter a state that does not correspond to a 
reachable state in S. If 7^ corresponds to y^, and yj' is 
reachable from y^ by executing a command, then there must 
exist an S state 7f that corresponds to y]~ and that is reachable 
from 7^ by executing one or more commands. This process 
may make use of multiple steps, since the procedure for hnding 
the corresponding S states does not need to be constructed, 
these states must simply exist. The operational advantage of 
enforcing Ro is that, even if the simulating system’s native 
operations are exposed to users, the system can never enter a 
state that does not have an equivalent in the simulated system. 


A. Expressiveness using Simulation Properties 

We will now draw the formal distinction between a simu¬ 
lation and expressiveness. Here, we use T sim S to denote, 

“T can admit a simulation of type X of Sf and S T 
to denote, “T is at least as expressive as S with respect to 
simulations of type XP 

While previous work considers the expressiveness result to 
be equivalent to a simulation (i.e., 7 ” sim S = S ^ T), 
expressiveness in a practical sense is subject to a subtle distinc¬ 
tion. Since we mean for expressiveness to be implementable 
(i.e., if T is as expressive as S, then T can be used in place of 
S), expressiveness within the domain of simulation properties 
should mean the following: if T is as expressive as S, then T 
can simulate any system that S can simulate. Thus, we dehne 
expressiveness in the context of a set of simulation properties. 

Definition 6 (Expressiveness) Given access control systems 
S and T and a set of simulation properties V, we say that 
T is at least as expressive as S with respect to V (denoted 
S T) to mean that, for every system U, if S can simulate 
Li while enforcing V, then T can simulate lA while enforcing 
V (iU : S sim U ^ T sim U). <} 

V V 

We hrst point out that this dehnition of expressiveness is 
strictly more general than the more traditional (often implied) 
notion. Since S can trivially simulate itself, S T implies 
T sim S. The additional generalization can be viewed from 
a formal standpoint as dropping the (incorrect) assumption 
that all types of simulation are transitive (i.e., that T sim S 
and S sim U imply T sim U). For instance, assume that T 
can simulate S and S can simulate U, each with a quadratic 
increase in state storage. While T may be able to simulate U, 
this simulation may require greater than quadratic storage. 

From a more intuitive standpoint, we point out that, except 
in the case of custom-built access control solutions, any 
deployment is a simulation of a workload (i.e., ideal operation) 
using an existing system. That is, unless S is custom-made 
to exactly satisfy the desired workload, replacing it with T is 
not a matter of whether T can simulate S, but whether T can 
admit an equally good simulation of the (perhaps not formally 
specihed) workload that S is known to simulate. This concept 
is discussed by Kane and Browne who point out that an 
access control implementation is often only an approximation 
of the desired policy. In particular, as policy languages get 
more complex, deployments often make use of approximations 
that are easier to analyze and more efficient to enforce than 
the overly-expressive policy language. 


V. Positioning Existing Simulations 


B. Decomposing Expressiveness Simulations to Properties 
In order to use the set of expressiveness simulation properties 


As mentioned in Section IV-A no set of properties can 
be proven to describe all conceivable simulations. In this 
section, we support the set of properties dehned in this work 
by showing that it can precisely describe the wide range of 
existing expressiveness simulations. 


detailed in Section IV to systematically compare previously 
proposed notions of simulation, we present our formal way 
of stating that a notion of simulation and a set of simulation 
properties are equivalent. We call this correspondence simu¬ 
lation decomposition', when a notion of simulation X can be 




decomposed to a set of simulation properties V, then analyses 
using X and V yield equivalent expressiveness results. 

Definition 7 (Simulation Decomposition) Given a notion of 
access control simulation X and a set of simulation properties 
V, X can be decomposed to V (denoted X = 1^) if and only 
if for all systems S and T, T sim S S T. That is, 
T admits an X simulation of S if and only if T is at least as 
expressive as S with respect to properties V. 0 

Recall from Definition that S T says that any system 
that can be simulated by S while preserving properties V can 
can also simulated by T while preserving V. In light of this, 
we will position an existing notion of simulation, X, within the 
lattice formed by our simulation properties (i.e., prove X = V) 
by proving the following for the set of properties V: 

1) (Only-if direction) T sim S A S sim IT ^ T sim Li 

XV V 

2 ) (If direction) S T ^ T sim S 

We give an example of such a proof in the following section. 
C. Example Decomposition 

To demonstrate how simulation decomposition proofs are 
written, we now consider the Ammann-Lipton-Sandhu simula¬ 
tion The ALS simulation considers access control states 
as graphs: sets of primitive objects are node types, and sets of 
relations are edge types. The set of node types and edge types 
in the states of system S are denoted NT (S) and ET (S), 
respectively. The ALS state correspondence is then defined as 
follows (reworded slightly from Q). 

Definition 8 A state in system S, a simulated system, and a 
state in system T, a simulating system, correspond iff the graph 
defining the state in S is identical to the subgraph obtained 
by taking the state in T and discarding all nodes (edges) not 
in NT (S) (ET (S)). 0 

The ALS simulation is defined with respect to this state 
correspondence. 

Definition 9 Under the definition of correspondence in Defini¬ 
tion^ system T simulates system S iff the following conditions 
hold: 

1) If system S can reach a given state, system T can reach 
a corresponding state. 

2 ) If system T can reach a given state, system S can reach 
a corresponding state. 

We will now demonstrate the two-step simulation decom¬ 
position proof technique described in Section |V-B| for the 
ALS simulation. For the purposes of this proof, let the set 
of simulation properties V — {SCs, QPa, Ro}. Recall that 
SCs is structure state correspondence, which says that the 
simulating state must include all of the unaltered sets from the 
simulated state; QPa is authorization preservation, which says 
that each authorization request must be mapped identically from 
simulated to simulating system (and thus the simulating system 
must support the same set of requests as the simulated system); 
and Rf-J- is bireachability, which says that the simulating system 


can reach a state which corresponds to each reachable simulated 
state, and cannot reach a state which does not correspond to a 
reachable state in the simulated system. 

We will demonstrate the two steps of the proof technique by 
proving two requesite lemmas. First, step 1 (only-if direction): 

Lemma 1 Given access control systems S, T, and lA, 

T sim S AS sim lA ^ T sim lA 

ALS V V 

That is, if T admits an ALS simulation of S, and S admits 
a simulation oflA with properties {SCs, QPa, Ro}, then T 
admits a simulation of lA with properties {SCs, QPa, Ro}. 

Proof: To prove this lemma, we let S, T, and lA be access 

control systems such that T sim S and S sim lA but are 

ALS V 

Otherwise arbitrary, and we show that T sim lA. 

V 

Choose an arbitrary state ^ G F^ and command G 

and let nexf(7(/, = 7j^. Let 7g G F*^ such that - aI 

Since S sim lA, 

V 

37 f G .(terminal(yQ ,a-q,(ij/^,yQ)) = yf A -jf) 

Let 7 g” G F"^ such that 7 ^ ~ 7 g”. Since T sim S, 

3 yT er^-iAl^Al A 7 f- tD 

Thus, there exists a sequence of T commands T'g^ such that 
terminal(yQ = yj. Define cr^ : x F’^ — >■ ('F^)* 

such that it returns T'g” for ,ilf. 

Then, given G F^, 7 q" G G such that 

next(y^, iff) =y^, and 7^ ~ 

Byl G .(terminal{y^, 7 ^)) = 7 ^ A 7 f - 7 ^) 

Hence, T sim lA. Next, we show QPa. 

{SCs.R^} 

Choose some arbitrary request G 7 ^^ and state 7 q” G F^. 

Since S sim lA, 

V 

G 7^'^, 7'^ G F-^, UQ(r^, y^) = y^ A 

Thus, we know that S supports all lA requests, and corre¬ 
sponding S and lA states will answer lA requests identically. 
Therefore, G TZ'^ . Since T sim S, 

G TZ'^, y^ G F’^, aQ(r^, y'^) = y'^ \- r'^ 

Thus, (JQ{r’^,y'^) = yT A . 

Hence, T sim lA. Next, we show Rg->. 

{SCs.QPa.R-j-} 

Choose some arbitrary states 7o”,7^ G F^ such that Ao ^ 
yf. Let 7 ^ G F*^ such that y^ ~ y^. Since T sim S, 

371 -(Ao ^ 7i A7 i ~ 7i ) 

Let yg G F^ such that yg ~ yg. Since S sim lA, 

37^(7[/4 7^A7^~7f) 
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Fig. 4 



(c) Partial lattice of simulations 


Thus, given S ^ ^ that 7g" >->• 7^ 

and 7^ - 'y^, 

37^er^.(7[/4 7^A7^^7r) 

Hence, T sim U. ■ 

V 

Next, we demonstrate step 2 (if direction); 

Lemma 2 Given access control systems S and T and simula¬ 
tion properties V = {SCs, QPa, Ro}, S T ^ T ^rn S. 
That is, if T is at least as expressive as S with respect to 
properties V, then T admits an ALS simulation of S. 

Proof: To prove this lemma, we let S and T be arbitrary 
access control systems such that S T, and we show that 
T sim S. 

ALS 

Since S T, for any access control system U, if S sim U, 

then T sim U. 

V 

Since S can trivially simulate itself, S sim S, and thus 

V 

T sim S. 

V 

Thus, given 7o , 7f G T*^, 7^ S T A, by forward reachability, 
if 7^ ^ 7o" and 7^ 7f, then 

37 r-( 7 o^A 7 rA 7 f- 7 ^) 

Since SCs and QPa satisfy the ALS definition of state 
correspondence, this means we have satisfied the first property 
of the ALS simulation. 

1 ) If 5 can reach a given state, T can reach a corresponding 
state. 

And by bidirectional reachability, given 7;^ G r‘^,7g", iT G 
pA, if 7j5 4 / fP and 7 q" i—>■ 7^, then 

37f.(7o^ A7f A7f-7^) 

And therefore, we have satisfied the second property of the 
ALS simulation: 

2 ) If T can reach a given state, S can reach a corresponding 
state. 

These properties satisfy the definition for ALS simulation, 

and hence T admits an ALS simulation of S (T sim S). ■ 

ALS 

Therefore, we have proved the decomposition of the ALS 
simulation; 


Theorem 3 ALS = {SCs, QPa, Ro}; that is, the ALS simu¬ 
lation decomposes to structure correspondence, authorization 
preservation, and bidirectional reachability. 

Proof: By Lemma fll if T sim S, then S T. By 
Lemma I2I if S T, then T sim S. Thus, S T if and 
only if 7 sim S, and thus the ALS simulation decomposes to 
{SCs, QPa, Rgg}. ■ 

All other decomposition proofs can be found in Appendix [B| 

D. Results 

Now, we present the results of decomposing the simulations 
from the series of previous works discussed in Section into 
sets of simulation properties from Section IV First, a chart of 


our results is shown in Fig. ^ which states the decomposition 
of the SMG simulation ^ the Ganta simula¬ 
tion 0 , the ALS simulation the COM weak and strong 

simulations | 10 | , the TL state-matching reduction 1121 , 
and HMGh- parameterized expressiveness (along with several 
parameterized expressiveness properties) GD- Properties are 
omitted if they are not explicitly required by the simulation’s 
definition but are implied by other, explicit properties (e.g., 
CDMs decomposes to a set including CDi, which also implies 


CCc). Section VI-A discusses which properties imply others. 


In Fig. 4 b we arrange this data as a taxonomy, with each split 


representing a dimension, with weaker properties positioned 
to the left and stronger properties to the right. We split first 
on the state correspondence, which is perhaps the biggest 
difference among the surveyed simulations. This separates 
simulations that preserve only the answers to authorization 
requests (SCa) from those that preserve all queries (SCq) and 
those that preserve full state structure (SCs). We note that 
the ALS simulation is alone in its decomposition including 
SCs; all other surveyed simulations allowed the simulating 
system to store information in a different organization than the 
simulated system, so long as the required queriable information 
(requests or queries) can be recovered. We also note that the 
predominant difference between the SMG simulation and the 
CDM simulations is the command dependence: in SMG, a 
command can be mapped completely differently if it is to be 
executed in different states, while in CDM, each command 
must be mapped without knowing the state in which it will 
be executed. The Ganta simulation is unique in enforcing 









Fig. 5 : Lattice of state correspondence, command dependence, and query dependence with positioned surveyed simulations 


the non-contamination trace restriction. HMG-t and TL-SMR 
use the same state correspondence, but HMG-h enforces a 
more lax query dependence and does not require bireachability. 
Simulations that are positioned farther apart are the most 
dissimilar. Most starkly different are SMG and ALS, positioned 
far left and far right, which share no simulation properties 
except in dimensions in which both enforce only minimum 
properties, despite their similar publication times. 

In Fig. 4 c we position the surveyed simulations within a 
lattice. Higher simulations decompose to more strict properties, 
and an arrow from simulation X to simulation X' indicates 
that X' decomposes to strictly stronger properties than X. 
Here we can see that the SMG simulation is strictly weakest, 
which supports previous claims to this effect 0,(Tg. Several 
orthogonal directions were taken in defining other simulations 
to enforce stronger properties. The COM simulations, as noted 
above, restrict the command dependence. The Ganta simulation 
requires non-contamination and bireachability. The TL state¬ 
matching reduction and HMG-t parameterized expressiveness 
consider queries, and thus strengthen the state correspondence. 
The ALS simulation enforces an even more strict state 
correspondence, requiring the structure of a simulated system’s 
state to be preserved in the simulating system. Interestingly, 
we note that while all are stronger than SMG, most pairs are 
incomparable due to being stronger in orthogonal ways. In 
particular, while TL-SMR is considered to be a relatively strong 
notion of simulation, this is not substantiated by the lattice, 
which shows TL-SMR to be stronger than HMG-t and SMG, 
but incomparable to the COM, ALS, and Ganta simulations. 

Figure [^presents a lattice of state correspondence, command 
dependence, and query dependence, with the surveyed simula¬ 
tions positioned within it (in this space, the Ganta simulation 


is at the same point as the SMG simulation). This fig. makes 
evident the wide range of points between existing simulations 
that have not been explored. In this fig., we omit several 
dimensions for readability, namely reachability (which further 
separates Ganta, ALS, and TL-SMR from SMG, CDM and 
HMG-h) and stuttering (which would break CDM into its weak 
and strong counterparts). Perhaps the most interesting points 
to explore within this lattice are those that exist between two 
surveyed simulations. For example, {SCq, CDs, QDs} adds to 
SMG the preservation of queries beyond requests, but stops 
short of HMG-h by not restricting the query decider to consider 
only the theory of the state while mapping queries. Similarly, 
{SCa, CDt, QDs} takes away some of SMG’s freedom to 
inspect the state mapping commands, but rather than go all 
the way to the independent command mapping of CDM, it 
still allows it to inspect the state’s responses to queries. We 
also point out {SCq, CDs, QDi}, which differs from HMG-h by 
enforcing query decider independence (mapping queries cannot 
consider the state or theory), but can map each simulated query 
to a boolean expression over simulating queries. 

VI. Selecting New Sets oe Properties 

In Section |Vj we positioned the simulations used in previous 
works within a comparative lattice, allowing them to be 
formally compared for the first time. In this section, we 
enable a second use of our lattice of expressiveness simulation 
properties: crafting new notions of expressiveness by choosing 
the properties that most closely correspond to the scenario 
in which an access control system will be deployed. We first 
discuss interactions between dimensions; this discussion should 
act as a warning against choosing individual properties in 
isolation. We then interpret the impact each identified dimension 















has on the simulation, and identify properties of a deployment 
scenario that may dictate particular choices in each dimension. 
Finally, we discuss the potential impact these techniques could 
have on future expressiveness analysis. 

A. Interactions Between Dimensions 

We noted in Section |V] that some simulations decompose to 
sets of properties that include implied properties, or properties 
that are redundant given the others in the set. For instance, 
command independence (CDi) implies constant-time command 
mapping (CCc); if the command mapping does not depend on 
the state, then its procedure must be constant-time in the size 
of the state. Further, CCc implies constant step (CSc), since a 
constant-time procedure must have constant-size output. 

An additional type of interaction is between basic properties 
and those properties whose definition relies on the basic 
properties in the abstract. For example, the definition of forward 
reachability (R—refers to sequences of commands output by 
cr'*', the length of which may be limited by command mapping 
stuttering (CS). Further, the definitions of both reachability 
properties (R) and trace structure properties (CT) refer to 
corresponding states. Here, the details of what makes states 
correspond is left to the state correspondence structure (SC). 

These dependencies show that the proof of a property in 
one dimension may rely on the properties chosen in another. 
Thus, e.g., changing to a stronger state correspondence requires 
re-proving a simulation’s results for reachability and trace 
structure, since these are dependent on state correspondence. 

Several property dimensions are defined over the size of the 
simulated state: command mapping complexity (CC), command 
mapping stuttering (CS), and query decider time-complexity 
(QC). Thus, these dimensions can be altered with respect to 
the original, simulated state by the state storage size (SS). For 
example, enforcing polynomial storage (SSp) and linear-time 
command mapping (CCI) will guarantee a command mapping 
that is linear-time with respect to the simulating state, which 
is a polynomial expansion over the original simulated state. 

B. Interpreting the Dimensions 

We now discuss the practical impacts each identified dimen¬ 
sions, and what types of environments may cause one to prefer 
a particular property in these dimensions over others. 

SC: State correspondence structure allows one to change 
what needs to be preserved about the state during a simulation. 
If the deployment scenario in question assumes only that the 
simulation allows the proper authorization requests, SCa should 
suffice. For scenarios that require the access control system to 
support (and provide correct answers to) additional queries such 
as, “Is user u a member of role r?”, SCq is more appropriate. 
Finally, in scenarios that make use of additional code that has 
access to (and assumes a particular arrangement of) the access 
control system’s internal data structures, SCs is the best choice. 

SS: State storage limits the size of the simulated state with 
respect to the original state (i.e., the state of the system being 
simulated). This can be restricted for several reasons. The most 
obvious is storage space: if trusted storage for representing 


access control state is limited, we may restrict the simulation 
from mapping states in a way that increases storage by more 
than a linear factor (SSI) or a polynomial factor (SSp). However, 
the more interesting reason comes from an interaction described 
in Section [VI-A| Since other dimensions place restrictions (e.g., 
on the number of commands executed) based on the size of the 
simulating state, we may restrict the state expansion to linear 
(SSI) in order, e.g., to restrict the command mapping procedure 
to be linear-time in the size of the original, simulated state. If 
state storage is polynomial (SSp), then even if we enforce a 
command mapping that is linear in the simulating state (CCI), 
this only restricts it to being polynomial-time with respect to 
the simulated state. Thus, even when trusted storage space is 
unbounded in the deployment scenario, one may desire to limit 
state size to limit later iteration over this state. 

CD: Command mapping dependence allows one to re¬ 
quire that the command mapping be computable without full 
knowledge and inspection of the state in which a command will 
be executed in. Independent command (CDi) requires that each 
command is mapped independent of the state, and is useful 
in deployment scenarios in which the agent calculating the 
simulating commands is completely unprivileged, and cannot 
inspect the state. It is also useful when commands must be 
precompiled, thus adding no computation at runtime beyond 
that of the simulating commands themselves. Theory-dependent 
command mapping (CDt) allows the command mapping to 
inspect the theory of the state (i.e., the answers to all queries). 
This property is useful in deployment scenarios in which the 
simulation agent is no more privileged than normal users— 
calculating the mapped commands requires only information 
available by asking queries. Finally, state-dependent command 
mapping (CDs) allows the command mapping to arbitrarily 
inspect the state, requiring a powerful simulation agent. 

CC: Command mapping complexity restricts the time- 
complexity of the command mapping with respect to the size 
of the simulating state. Constant command mapping (CCc) 
can restrict the command mapping from taking any longer 
for larger states, and is thus appropriate when states can be 
large but mapping commands must always remain fast. Linear 
command mapping (CCI) prevents expensive nested loops over 
access control state as well as operations such as sorting, while 
still allowing more processing for larger states. 

CS: Command stuttering restricts the number of sim¬ 
ulating commands executed for each simulated command. 
Lock-step (CSl) simulations must execute no more than one 
simulating command per simulated command, and thus ensure 
there is no intermediate state exposed to users. In deployment 
scenarios without the ability to force atomic execution of 
a sequence of commands (or without built-in data structure 
locking), this property is crucial to preventing the inspection 
of intermediate (potentially inconsistent) states. Constant step 
(CSc) simulations are allowed a constant number of commands 
for each simulated command, and are thus appropriate when the 
state can grow to be large but the deployment scenario requires 
that the number of steps for any simulated action remain 
bounded (e.g., to prevent starvation due to locked structures). 




CT: Trace structure properties restrict the path that the 
simulating system can take during the simulation of a single 
command. Semantic lock-step (CTl, depicted in Fig. 
provides the benefits of a lock-step simulation in a slightly 
relaxed way: a “setup” phase prepares for the transition by 
changing only internal data (i.e., while remaining equivalent to 
the start state), then the transition occurs to a state equivalent 
to the end state, and then the “cleanup” phase cleans up any 
unnecessary leftover data (again, while remaining equivalent to 
the same end state). This is particularly useful when lock-step 
is too strict, but the deployment scenario is sensitive to the 
exposure of intermediate states (since, in CTl, no states are 
exposed except those equivalent to the start and end states). 
Query monotonicity (CTq) ensures that no query changes its 
truth value except those that are required to change between 
the start and end state. This allows multiple steps, but ensures 
that intermediate states, while not corresponding with the start 
or end state, never answer any query in a way that neither the 
start nor end state would. This is useful in scenarios where 
intermediate states are undesirable, but users are not expected 
to execute more than a single query between “valid” states (and 
will thus never detect the inconsistency). Access monotonicity 
(CTa) is similar, but applies only to authorization requests, 
and is useful in scenarios where inconsistent states are not 
a danger as long as they do not wrongly allow or forbid a 
request. Finally, non-contamination (CTs) ensures that no two 
accesses are allowed in an intermediate state that are not both 
allowed in either the start or end state. Thus, the simulating 
system is restricted not only from allowing accesses forbidden 
in the simulated system, but also combinations of individually- 
allowed accesses that are never combined in the simulated 
system. This restriction is particularly useful in environments 
with operations that “swap” accesses from one subject or object 
to another, or where separation of privilege is utilized. 

CA: Actor preservation restricts which users can be 
invoked to simulate commands. Self-execution (CAT) requires 
each simulating command be executed by the same user as 
the original, simulated command. This allows the simulating 
agent to be completely unprivileged, mapping commands as 
a service to the user, but without executing them with any 
privilege beyond the user’s own. Administration-preservation 
(CAa) requires any non-administrative simulated command 
be mapped to a sequence of non-administrative commands 
(i.e., a command that does not invoke administrative privileges 
cannot be simulated by an administrative command). This 
corresponds to scenarios in which users will be expected 
to operate largely without administrative intervention. No 
restriction in this dimension means that the command mapping 
can return commands to be executed by any other user. This 
is most appropriate when the simulating agent is trusted to 
execute administrative actions on behalf of untrusted users, or 
when the commands returned can then be delegated to other 
users to be approved and executed. 

Finally, R: reachability specifies whether the simulating 
system should be restricted from entering a state that does 
not correspond to a simulated state. If the simulation agent is 



Fig. 6: Partial lattice of canonical usage 


users’ only interface to the deployed access control system, 
forward reachability (R—:>) is sufficient. However, if users can 
access the simulating system’s native commands, bireachability 
(Ro) ensures that the system cannot transition to a state that 
is inconsistent with the simulated system. 

C. Studying Canonical Usages 

Next, we use the above interpretation of our expressiveness 
simulation properties to guide a discussion about how each of 
the notions of simulation that we studied in Section m is used 
by its creators. In many cases, the definition for a particular 
notion of simulation is underconstrained, and the simulations 
written within the framework actually satisfy stronger properties 
than the dehned lower bound. We refer to the set of properties 
that the authors seem to intend for a simulation to uphold as its 
canonical usage. In the case of Sandhu’s simulation, the author 
recognizes that the given constructions are stronger than the 
dehnition, noting that formalizing the dehnition of the stronger 
simulation is beyond the scope of the work Q. Here, we make 
conjectures regarding the decomposition of the canonical usage 
of these simulations. A lattice view of these conjectures is 
shown in Fig. where X indicates the canonical usage of 
simulation type X. For example, SM refers to the form of the 
SMG simulation used in 0> ©■ 

It is interesting to note that the relationships between 
notions of simulation are not necessarily preserved in the 
canonical usage. While SMG by definition is the weakest 
simulation, the canonical usage SM is incomparable to any 
simulation’s dehnition and positioned strictly weaker than 
the canonical usage of the CDM simulations. While, by 
dehnition, the TL state-matching reduction is more strict than 
HMG-h parameterized expressiveness, their canonical usages 
are incomparable due to TL-SMR enforcing bireachability 
(Ro) and using polynomial state size (SSp), compared to 
HMGh- enforcing forward reachability (R—>) and using linear 
state size (SSI). Finally, we note that all of CDMs, CDMw, 
SMG, and ALS simulations are canonically used in such a way 
that enforces full query preservation (QPf); that is, all of the 
constructed mappings of these types use the identity mapping 
for all supported queries, despite the fact that none of them 










specifically require this by definition. This trend of a notion 
of simulation’s usage being consistently more strict than its 
definition reveals the difficulty in fully specifying the set of 
properties that a notion of expressiveness simulation is intended 
to enforce. The discussion in this section, aimed at helping 
analysts choose a reasonable set of properties for a deployment, 
can also help ensure that newer notions of simulation are fully 
specified, and best match their intended usages. 

VII. Conclusion and Future Work 

In this paper, we organize the existing knowledge of 
expressiveness simulations by formalizing a granular, property- 
based representation, proposing a wide range of dimensions 
of simulation properties, and positioning influential notions of 
expressiveness simulation from the literature within the lattice 
of these properties. In doing so, we provide the first systematic 
comparison of existing simulations that were not previously 
known to be directly comparable, showing how these notions 
of expressiveness simulation relate to one another. 

Looking away from existing notions of simulation and rather 
between them, this work allows us to explore an organized 
space of simulations to identify areas to explore in future 
research. For instance, knowing expressiveness results derived 
using the SMG and ALS simulations, which of these hold tme 
for notions of simulation “between” the two existing notions? 
What results can be shown for a simulation decomposing to 
the union of the properties of two existing notions? How far 
up the lattice do all systems become incomparable? These 
questions can only be explored thanks to the systematic means 
of simulation decomposition. 

Finally, understanding the systems implications of various 
simulation properties will enable analysts to select the notion 
of access control expressiveness that corresponds most closely 
to the scenario in which they plan to deploy the target access 
control system(s). Thus, we make inroads toward bringing 
expressiveness analysis techniques out of the strictly formal 
realm, and repurpose these techniques to help select the most 
suitable access control system for a given application. 

A question to be explored in future work is the identification 
of the set of analysis questions that a particular set of simulation 
properties preserve. For example, Tripunitara and Li showed 
that the state-matching reduction preserves compositional 
security analysis instances: the set of questions containing 
a single quantifier (3 or V), a propositional formula over 
queries p, and a start state 7 p 3 ) . Semantically, the question 
asks whether p it is {ever, always} true in states reachable 
from 7. If T admits a state-matching reduction of S, then 
all compositional security analysis instances have the same 
value in S and T. Identifying the types of analysis questions 
preserved by other notions of simulation would allow us even 
greater understanding of the practical and theoretical impacts 
of simulation property choices. 
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Appendix A 

Query decider properties 

In this appendix, we present the dimensions in which the 
query decider can be restricted. Recall (Dehnition that the 
query decider is a function ctq = x —>■ {true, false} 

that assigns a truth value to each query in system S, in each 
state in system T. As with the command mapping, we can 
restrict what properties of the state the query decider can 
observe, but in general it sees the whole state. Thus, it allows 
us to answer S queries in an active simulation using T- We 
now discuss the ways in which we can restrict this decider. 

Dimension QD: Query decider dependence 

While Definition maps each S query and T state to a 
truth value, previous works use more strict query deciders, 
ranging from mapping each S query g to a T query q' and 
returning 7^ h q' | [l 3 [ , to mapping each S query and T 
theory to a truth value 0 (calculating the truth value by 
observing only the queriable portions of the T state). Query 
decider dependence, similar to command mapping dependence, 
restricts the information that the query decider can consider 
about a T state when deciding the truth value of an S query 
in that state. 

QDl: Independent, unitary-range query decider 

3cr' : Q’^-icrqiq, 7 ) = 7 ^ cr'l?)) 

QDi: Independent query decider 

3 cr' : if((5'^).(crQ(g,7) = 7 h cr'(g)) 

QDt: Theory-dependent query decider 

3cr' : X Th{T) -r {true, FALSE}.(TQ(g, 7) = a'{q,Th{y)) 

QDs: State-dependent query decider No restriction. 

First, independent, unitary-range query simulations first map 
each S query q^ to a single T query q'^, then return the truth 
value of asking this T query in 7^ (i.e., returns 7^ h q'^). 
This type of simulation was used in 0- Independent query 
simulations, similarly, map q^ independent of the state, but 
in this case can map it to an element of a boolean 

expression over Q'^, rather than a single query. This allows 
the simulation, for example, to map the S query “Is user u 
a member of role r” to T query sentence “Does user u exist 
and does user u have attribute role:r?” 

Theory-dependent query allows the truth value to be deter¬ 
mined based only on the theory of the T state, or the values 


of all T queries in the state. This allows the query decider 
to inspect the values of (potentially) all T queries, but does 
not allow the decider to consider any features of the state 
that cannot be queried using This version of the query 
decider is used in 0- Finally, we refer to the general case as 
state-dependent query, since in this case the query decider can 
arbitrarily inspect the T state before returning a truth value for 
an S query, rather than being restricted only to those elements 
of the state which are observable by asking queries in 

The biggest impact a selection in QD has is to limit the 
privilege of the simulating agent: under QDl and QDi, the 
simulating agent need know nothing about the current state of 
the system to map queries, and simulated queries are mapped 
statically to dynamic queries. Under QDt, the simulating agent 
must be privileged to view the values of all queries at mntime, 
while QDs assumes the ability to arbitrarily inspect the state 
at runtime (even the portions of state that are not queriable). 

Dimension QC: Query decider complexity 

As with the command mapping, due to potential resource 
constraints, we may enforce limits on the runtime complexity 
of the query decider routine, with respect to the size of the 
state it is executed in. As with commands, this is not applicable 
for independent query deciders. 

QCc: Constant query decider Vg e Q^, the algorithm for 
'^ 9 ( 7 ) = '^ q ( 9 ; 7 ) time complexity T{n) £ 0(1) 

QCoo: Unbounded query decider No restriction. 

For theory-dependent and state-dependent query deciders, 
we can limit the complexity of the procedure—here, we 
consider only the constant-time restriction explicitly, though 
other restrictions may be useful in some cases. 

Dimension QP: Query preservation 

Query preservation is a property dimension that indicates 
which queries need to stay the same as they are mapped from 
system S to system T. A particular application may require 
any given set of queries to be preserved; here, we present 
several generic examples. 

QPf: Complete query preservation 

Vg £ Q‘5,7 £ r'^ : aQ{q,y) = 7 F g 

QPa: Authorization preservation 

Vr £ Tip ,y £ r’^ : tTQ(r, 7) = 7 h r 

QPw: Weak authorization preservation 

3 / : Tip —^ TiP^ such that the following two conditions hold: 

• Vr G TZ^, 7 £ r'^.(crQ(r, 7) = TRUE ^ 7 h /(r)) 

• Vr G TiP',y G r'^.(7 h r ^ 3 r‘^.(crQ(r‘^, 7) = TRUE A 
f{r^) = r)) 

The most common property in this dimension is autho¬ 
rization preservation, which roughly enforces that the query 
decider maps each S request to the value of the identical 
request in the T state. This requires T to accept at least the 
same authorization requests as S, and can be seen as ensuring 


that T is using its model “as intended” (i.e., forcing it to 
answer simulated requests as it would its own native requests). 
Complete query preservation restricts the query decider in the 
same way, but for all supported queries. 

Authorization preservation was formalized in 114 | (as AC- 
preservation), but has been used implicitly in other simulations 
(e.g., pO) ) that do not include any mapping from S requests to 
T requests (i.e., assume the identity mapping). For formalisms 
that do not consider queries other than requests, authorization 
preservation and complete query preservation are equivalent. 

A related property is weak authorization preservation, 
defined in m (as weak AC-preservation). This property is a 
weakened version of authorization preservation: its intentions 
are similar, but the weak form can be used even when S and 
T do not support the exact same requests (i.e., simulating a 
system with requests of the form, “Does user u have access to 
permission p?” in a system with requests of the form, “Does 
subject s have access read to object o?”). Weak authorization 
preservation allows a request transformation function, which 
maps S requests to T requests. The definition of this property 
ensures that each S request is mapped into T, and each T 
request that is granted represents some S request. 


A. Interactions Between Dimensions 

Independence query decider (QDi) implies constant query 
decider (QCc), since a query decider that does not depend 
on the state must be constant-time with respect to the state 
size. Full query preservation (QPf) implies constant query 
decider (QCc), since the identity mapping is a constant-time 
procedure, and implies unitary-range query decider (QDI), 
since the identity mapping always outputs only one query. 


B. Interpreting the Dimensions 

QD: Query dependence, similar to command dependence, 
can restrict the query decider from using the full knowledge 
of the state in question when mapping queries to tmth values. 
Independent query decider (QDI and QDi) map each simulated 
query to its simulating queries, and its truth value is then 
determined by checking the values of these mapped queries 
in the simulating state. This is useful, as with commands, for 
precompilation, and restricts the simulating agent’s role to be 
akin to a Karp reduction (i.e., it can only return the value of its 
simulating queries with no modifications) |28 p. 60 ]. Theory- 


dependent query decider (QDt) allows the inspection of the 
full theory of the state, and thus arbitrary computation over the 
values of all queries in the simulating system, corresponding to 
a query decider that is only privileged enough to ask queries, but 
not inspect state. Finally, state-dependent query decider (QDs) 
allows arbitrary inspection of the state, and thus may answer 
simulated queries using state that is usually unqueriable in the 
simulating system; this requires a powerful simulation agent 
that is trusted to view the full access control data stractures. 

QC: Query complexity restricts the time-complexity of 
the query decider with respect to the size of the simulating 
state, and is thus chosen for reasons analogous to command 
complexity (CC). 


QP: Query preservation restricts certain queries to be 
mapped by a sort of “identity function.” That is, certain 
simulated queries are mapped TRUE if and only if the query 
is also present in the simulating system, and the query returns 
TRUE in the current simulating state. This dimension of 
restrictions is strict in that it requires the simulating system 
to support all of the included queries of the simulated system, 
but ensures that the simulating system is used as per normal. 
If the deployment scenario is unable to cope with reduced 
throughput caused by the query decider during simulation, 
QPf also ensures that we can pipe simulated queries directly 
to the simulating system. Particularly useful is authorization 
preservation (QPa) when using a simulating system based on a 
model with formally-proven properties; Since all authorization 
requests must be mapped by the identity, the simulating system 
allows a simulated request exactly when it would natively allow 
the same request. 


Appendix B 

Decomposition Proofs 
A. TL State-Matching Reduction 

For the purposes of this proof, let the set of simulation 
properties V = {SCq, QDI, Ro}. 

Lemma 4 Given access control systems S, T, and lA, 


T sim S AS sim lA ^ T sim lA 

TL-SMR V V 

That is, if T admits a state-matching reduction of S, and S ad¬ 
mits a simulation oflA with properties {SCq, QDI, Ro}, then 
T admits a simulation oflA with properties {SCq, QDI, Ro}. 

Proof: Let S, T, and lA be arbitrary access control systems 

such that T sim S and S sim lA. To prove Lemma HI 
TL-SMR V |_J 

we must then show that T simlA. 

V 

Since S simlA, by QDI, 

V 

3aQDi ■ qU ^ = 7-5 h 


Since T sim S, the state-matching reduction provides 

TL-SMR 

a mapping from Q'^ to Q'^. Call this mapping 

Thus, let a' : —>■ and say 

(TQ(q^,7^) = 7^ h a'{q^)). This forms a query decider 
that satisfies QDI. 

Choose an arbitrary state G F^ and command tj/^ G 

and let nexf(7(/, = 7^^. Let 70 G F*^ such that 

Since S sim lA, 

V 


37f e .{terminal{y^= yf A 
Let yT G such that 7^ ~ yT. Since T sim S, 

^ ^ ^ TL-SMR 


Thus, there exists a sequence of T commands such that 
terminal ,'FJ) = yj. Define tr^ : x F"^ -G ( 4 '"^)* 

such that it returns for This is formed by 

concatenating a sequence of sequences of commands: for 




each command tpf that S needs to execute to simulate , 
concatenate the commands that T needs to execute to simulate 

i’f- 

Then, given G r^,7o" G ,ip^ G such that 

nextij^, and 7^/ ~ , 

37^ G V'^.(terininal{-i^, cr-i,(ip, )) = A PL'jf) 

Hence, T sim U. Next we show Rgg. 

{SCq,QDl,R-i.} 

Choose some arbitrary states ^ ^tich that 1—>■ 

jT. Let 7n G such that 7^ ~ jZ. Since T sim S, 

^ ^ TL-SMB. 

-i S / S 5 a 59 T\ 

37 i -(To ^ 7 i A 7 i ~ 7 i ) 

Let Ao S that lo- Since S sim U, 

37 ^( 7 [/A 7 ^A 7 ^^ 7 f) 

Thus, given aJtIT C G T^ such that Ti" 

and 7^ - 7^", 

37 ^er^.( 7 o ^4 7 ^A 7 ^^ 7 r) 

Hence, T sim U. ■ 

V 

Lemma 5 Given access control systems S and T and sim¬ 
ulation properties V = {SCq, QDl, Rgg}, S T => 
T sim S. That is, if T is at least as expressive as S 

TL-SMR 

with respect to properties V, then T admits a state-matching 
reduction of S. 

Proof: Let S and T be arbitrary access control systems 

such that S T. Since S fZ’ T, for any access control 

system U, if S sim U, then T sim U. 

V V 

Since S can trivially simulate itself, S sim S, and thus 

v 

T sim S. 

By QDl, 3 a' : -A fagiq ^= 7^ ^ ^iq^)) 

Thus, a' satisfies the format of the TL-SMR query mapping 
(i.e., aq : ^ Q'^). 

Then, given 7^,7f G r‘5,7j' G T'A, by R^, if 7^ - -fl 
and 7^ I—>■ 7f , then 

37 r-( 7 o^^ 7 rA 7 f- tD 

Since SCq satisfies the TL-SMR definition of state corre¬ 
spondence, this means we have satisfied the first property of 
the state-matching reduction. 

1 ) For every state 7f in system S such that 7^ A 7f, there 
exists a state y'f such that 7^ 1 —yj and 7f and 7^ 
are equivalent under a. 

And by bidirectional reachability, given 7^ G r'^,7g”, aT G 
pA, if Z, jT and 7^ 1—then 

37 f.( 7 o^ A 7 f A 7 f ^ 7 ^) 

And therefore, we have satished the second property of the 
state-matching reduction; 


2) For every state yj in system T such that A 7^^, 
there exists a state 7f such that 7^ 1—> 7f and y'f and 
7f are equivalent under a. 

These properties satisfy the dehnition for a state-matching 
reduction, and hence T admits a state-matching reduction of 
S (T sim S). ■ 

TL-SMR 

Theorem 6 TL-SMR = {SCq, QDl, Rgg}; that is, the TL 
state-matching reduction decomposes to query correspondence; 
independent, unitary-range query; and bidirectional reachabil¬ 
ity. 

Proof: By Lemma H if T sim S, then S T. By 

U TL-SMR 

Lemma if 5 T, then T sim S. Thus, S T 

M TL-SMR 

if and omy if T sim S, and thus the state-matching 

TL-SMR 

reduction decomposes to {SCq,QDl, Rgg}. ■ 

B. PIMG+ Parameterized Expressiveness Simulation 

For the purposes of this proof, let the set of simulation 
properties V = (SCq, QDt, R—>}. 

Lemma 7 Given access control systems S, Z, and U, 

T sim S AS sim U ^ T sim U 
HMG+ V V 

That is, if T admits an HMG+ simulation of S, and S admits 
a simulation oflA with properties {SCq, QDt, R—^}, then T 
admits a simulation oflA with properties {SCq, QDt, R^}. 

Proof: Let S, T, and U be arbitrary access control systems 

such that T sim S and S simU. To prove Lemma iTl we 
HMG+ V U 

must then show that T sim U. 

V 

Since S sim IT, by QDt, 
v 

3 a' : xTh{S) -A {true, FALSE}. ag (9,7) = a'{q,Th{y)) 

Since T sim S, the HMGh- simulation contains the 

HMG+ 

mapping tt : x Th{T) — t {true, FALSE}. 

Thus, let a" : x Th{T) -A {true, FALSE} be con- 

stmcted as follows. Use a' : x Th{S), and for each query 

q in Th{S) that is needed by a', consult tt : < 5 “^ x Th{T) to 
obtain a truth value in the current T state. This forms a query 
decider that satishes QDt. 

Choose an arbitrary state 7^/ G F^ and command fZ G 

and let nextfy^ ,ilZ) = 7A Let 7g G F*^ such that ^ ^ ll 

Since S sim IT, 

V 

37f G .{terminaliy^,aq,{'ijZ‘,y^)) = A 

Let aZ G F^ such that 7n PL jZ- Since T sim S, we can 
^ ^ ^ HMGA 

map each command of the sequence ,Ao) to ^ sequence 

of T commands using the HMG-t simulation. Concatenating 

this sequence of sequences to a single sequence 'Fq^, and using 

HMGh- correctness: 

37^ G .(terminal{Al, ^0") = 7 ?” A 7f ~ 7^) 


Define a^}, : x such that it returns for 

Then, given S r^,7^ S S such that 

nextirf^,^^) = 7^, and 7^/ ~ 7^", 

37^ e r'^.(fermma;( 7 ^,cr.i,(V', 7 ir)) = 7 ?” A 7 f - 7^) 

Hence, T sim U. ■ 

{SCq,QDt,R-)-} 

Lemma 8 Given access control systems S and 'T and simula¬ 
tion properties V = {SCq, QDt, R—?>|, S T => T sim 

HMG-V 

S. That is, if T is at least as expressive as S with respect to 
properties V, then T admits an HMG+ simulation of S. 

Proof: Let S and T be arbitrary access control systems 

such that S T- Since S T, for any access control 

system U, if S sim U, then T sim U. 

V V 

Since S can trivially simulate itself, S sim S, and thus 

V 

T sim S. 

By QDt, 

3cr' : Q^xTh{T) {true, FALSE}. crQ((?‘^, 7'^) = a'{q^,Th{'y 

Thus, a' satisfies the format of the HMG+ query mapping 
(i.e., TT : x Th{T) —t (true, FALSE}), and by SCq, the 

state mapping preserves the query mapping, property (i) for 
the HMG+ correct simulation. 

Let 'Jq ,tp £ be an arbitrary state and command in 
S, and 7^ G F^ a state in T such that crr(7^) = lo ■ Then, 
if next{-f^,f^) = 7f, 

Byl.{terminali'yj = 7^^ ^ ,.^5 ^ ^ 

Thus, the command mapping preserves the state mapping, 
property (ii) for the HMG+ correct simulation. 

These properties satisfy the definition for HMG+ correct 
simulation, and hence T admits an HMG+ simulation of S 
(T sim S). ■ 

HMG+ 


{SCq, QDt, R—>,QPa}, then T admits a simulation of hi with 
properties {SCq, QDt, R^-, QPa}. 

Proof: The proof of Lemmaj^proves all properties besides 

QPa with no change. Thus, we now show QPa. 

Choose an arbitrary request r G TiH and states 7*^ G 

F‘^,7^ G F^. Since S simU, 

V 

= 7“^ h r 

Since T sim S, 

HMG+a 

G TZ'^ : aQ{r^, 7^) = 

Since S simU, by SCq, r G TZ'^ . Thus, 
v 

= 7^ h r 

Hence, T sim U. ■ 

{SCq.QDt,R-i.,QPa} 

Lemma 11 Given access control systems S and T and 
simulation properties V = {SCq, QDt, R—>, QPa}, S 
77 ^^=> T sim S. That is, if 'T is at least as expressive 

)) HMG+a 

as S with respect to properties V, then T admits an HMG+ 
simulation with AC-preservation of S. 

Proof: Let S and T be arbitrary access control systems 

such that S T- Since S T, for any access control 

system U, if S sim U, then T sim U. 

V V 

Since S can trivially simulate itself, S sim S, and thus 

V 

T sim S. 

V 

The proof of Lemma ^ proves all properties besides AC- 
preservation. By QPa, 

G TZ'^ : , j'^) = 7"^ h 

This satisfies the definition of AC-preservation, and hence 
T admits an HMG-i- simulation with AC-preservation of S 
(T sim S). ■ 

HMG+a 


Theorem 9 HMG+ = {SCq, QDt, R—?►}; that is, the PIMG+ 
parameterized expressiveness simulation (correctness only) 
decomposes to query correspondence, theory-dependent query, 
and forward reachability. 

Proof: By Lemma E. if T sim S, then S T■ By 

Lemma if 5 T, then T sim S. Thus, S T 

n HMG+ 

if and omy if T sim S, and thus the HMGh- simulation 

HMG+ 

decomposes to {SCq, QDt, R—^}. ■ 


Theorem 12 HMG+a = {SCq, QDt, R^-, QPa}; that is, 
HMG+ parameterized expressiveness with AC-preservation 
decomposes to query correspondence, theory-dependent query, 
forward reachability, and authorization preservation. 


Proof: By Lemma 


10 


if T sim S, then S <+ T. By 

HMG+a 

sim S. Thus, S T if 

HMG+a 

and onlyTT'T sim S, and thus the HMGh- simulation with 

HMG+a 

AC-preservation decomposes to {SCq, QDt, R—>, QPa}. ■ 


Lemma if S T, then T 


C. AC-Preserving HMG+ Parameterized Expressiveness 

For the purposes of this proof, let the set of simulation 
properties V = {SCq, QDt, R—>, QPa}. 

Lemma 10 Given access control systems S, T, and hi. 


D. Monotonic HMG+ Parameterized Expressiveness 

For the purposes of this proof, let the set of simulation 
properties V = {SCq, QDt, R—>, CTa}. 

Lemma 13 Given access control systems S, T, and hi. 


T sim S AS sim U ^ T sim U 

HMG+a V V 

That is, ifT admits an HMG+ simulation with AC-preservation 
of S, and S admits a simulation of hi with properties 


T sim S AS sim lA +> T sim lA 

HMG+s V V 

That is, if T admits a monotonic HMG+ simulation 
of S, and S admits a simulation of hi with properties 



{SCq,QDt, R—>,CTa}, then T admits a simulation oflA with 
properties {SCq, QDt, R^-, CTa}. 

Proof: The proof of Lemma|^proves all properties besides 
CTa with no change. Thus, we now show CTa. 

Choose an arbitrary command and state 7 ^ G 

Let: 

m jf = terminal{'-fQ , tpf o ■ ■ ■ o tpf) 

Since S sim U, by CTa, this sequence of states 'yf is 
monotonic. 

Furthermore, let: 

• 770 = ot( 7 o ) 

• iTfi = terminali'jji^ g, o • • • o i’lj) 

• it,3 = terminalinlQ, ^ o • • • o 

Put simply, is simulated in T by the following sequence 
of commands: 


E. Admin-Preserving PIMG+ Parameterized Expressiveness 

For the purposes of this proof, let the set of simulation 
properties V = {SCq, QDt, R—>, CAa}. 

Lemma 16 Given access control systems S, T, and lA, 

T sim S AS sim U => T sim U 
HMG+p V V 

That is, if T admits an admin-preserving EIMG+ simulation 
of S, and S admits a simulation of hi with properties 
{SCq, QDt, R—>,CAa}, then T admits a simulation ofU with 
properties {SCq, QDt, R—>, CAa}. 

Proof: The proof of Lemmaj^proves all properties besides 

CAa with no change. Thus, we now show CAa. 

Consider arbitrary command G and state 7 “^ G F*^. 

Since S sim U, by CAa, 

V 

G a{tp^) G Oi{ijJ^) G A 


thus passing through the following trace of states: 


Consider state 7 ^ G F^. Since T 
preservation. 


sim 

HMG+p 


S, by admin- 


770, 


r r 
) 7o,m-l) 7l,0) ■ 


r r 

' 5 7 n—l,m — 7 n ,0 


G cr^('0‘^, G A^ G A 


Since T s^^h subsequence 7/01 • ■ • 1 7i+i 0 

monotonic. 

Since S sim U, by CTa and SCq, the full sequence must 
also be monotonlc. 

Hence, T sim U. ■ 

{SCq,QDt.R-i-,CTa} 

Lemma 14 Given access control systems S and T and 
simulation properties V = {SCq, QDt, R—>, CTa}, S T => 
T sim S. That is, if T is at least as expressive as S with 

HMG+s 

respect to properties V, then T admits a monotonic HMG+ 
simulation of S. 


Proof: Let S and T be arbitrary access control systems 

such that S T. Since S T, for any access control 

system U, if S sim U, then T sim U. 

V V 

Since S can trivially simulate itself, S sim S, and thus 

V 

T sim S. 

V 

The proof of Lemma proves all properties besides mono¬ 
tonicity. Since CTa satisfies the definition of monotonicity, we 
thus have that T admits a monotonic HMG+ simulation of S 
(T sim S). ■ 

HMG+s 


Theorem 15 HMG+s = {SCq, QDt, R—>, CTa}; that is, 
HMG+ parameterized expressiveness with monotonicity de¬ 
composes to query correspondence, theory-dependent query, 
forward reachability, and access monotonicity. 


Proof: By Lemma flsl if T sim S, then S T. By 

' HMG+s 

sim S. Thus, S T 

HMG+s 

if and only if T sim S, and thus the monotonic HMG+ 

HMG+s 

simulation decomposes to {SCq, QDt, R—>, CTa}. ■ 


Lemma 0 if S /Tthen T 


Thus, 


Hence, T sim U. ■ 

{SCq,QDt,R-f,CAa} 

Lemma 17 Given access control systems S and T and 

simulation properties V = {SCq, QDt, R—>, CAa}, S 

T ^ T sim S. That is, if T is at least as expressive 
HMG+p 

as S with respect to properties V, then T admits an admin¬ 
preserving HMG+ simulation of S. 


Proof: Let S and T be arbitrary access control systems 

such that S T. Since S T, for any access control 

system U, if S sim U, then T sim U. 

V V 

Since S can trivially simulate itself, S sim S, and thus 
T sim S. 

V 

The proof of Lemma proves all properties besides admin- 
preservation. Since CAa satisfies the definition of admin- 
preservation, we thus have that T admits an admin-preserving 
HMG+ simulation of S (T sim S). ■ 

HMG+p 


Theorem 18 HMG+p = {SCq, QDt, R-)-, CAa}; that is, 
HMG+ parameterized expressiveness with admin-preservation 
decomposes to query correspondence, theory-dependent query, 
forward reachability, and administration preservation. 


Proof: By Lemma 


‘0 

omy 


Lemma 

if and o^ if T 


16 if T sim S, then S <+ T. By 

HMG+p 

if 5 TTthen T sim S. Thus, S T 

HMG+p 

sim S, and thus the admin-preserving 

HMG+p 

HMG+ simulation decomposes to {SCq, QDt, R—)■, CAa}. ■ 





F. SMG Simulation 

For the purposes of this proof, let the set of simulation 
properties V — {SCa, R->}. 


Lemma 19 Given access control systems S, T, and U, 


Proof: By Lemma 
Lemma 


20 


19 


if T sim S, then S T- By 

SMG 


if S T, then T sim S. Thus, S T if and 


SMG 


only if 7 ^ sim S, and thus the SMG simulation decomposes 

SMG 

to {SCa, R^-}. ■ 


T sim S AS sim lA ^ T sim U 
SMG V V 

That is, if T admits an SMG simulation of S, and S admits a 
simulation ofU with properties {SCa,R— )■}, then T admits a 
simulation oflA with properties {SCa, R—>}. 


Proof: Let S, T, and U be arbitrary access control systems 

we 


19 


such that T sim S and S sim U. To prove Lemma 
SMG V 

must then show that T sim U. 

V 

Choose an arbitrary state ^ G L^ and command ij/^ G 

and let next{'f^, =7^. Let 7^ G L*^ such that 7^/ 

Since S sim U, 

V 




37f G .{terminalij^, =jfAy^^yf) 

Let yT G such that 7^ ~ yT . Since T sim S, request 

/U /U /U 

r can be granted in S if and only if a{r) can be granted in T. 
More concretely, 

37^ A yf 

Thus, there exists a sequence of T commands T'q^ such that 
terminal{yQ = yj. Dehne cr^ : x L”^ —>• ('F^)* 

such that it returns for . This is formed by 

concatenating a sequence of sequences of commands: for 
each command i/'f that S needs to execute to simulate , 
concatenate the commands that T needs to execute to simulate 

■ipf- 

Then, given Ao^li C ,ip^ G 'F^ such that 

next{y^,f^) = , and 7^/ ~ 

BaT G T'^-iterminal{y^,aq,{'ip,y'[)) = yl Ajf ^ yl) 


Hence, T sim U. ■ 

{SCa,R->} 

Lemma 20 Given access control systems S and T and 
simulation properties V = {SCa, R— >|, S T ^ f sim S. 
That is, if T is at least as expressive as S with respect to 
properties V, then T admits an SMG simulation of S. 

Proof: Let S and T be arbitrary access control systems 

such that S T- Since S T, for any access control 

system U, if S sim U, then T sim U. 

V V 

Since S can trivially simulate itself, S sim S, and thus 

v 

T sim S. 

V 

By SCa and QPa, request r can be granted in S if and only 
if cr(r) can be granted in T. This satishes the dehnition of the 
SMG simulation, and hence T admits an SMG simulation of 
S {T sim S). ■ 

SMG 

Theorem 21 SMG = {SCa, R— >■}; that is, the SMG simulation 
decomposes to authorization correspondence and forward 
reachability. 


G. Ganta Simulation 

For the purposes of this proof, let the set of simulation 
properties V = {SCa, QPa, CTs, Rgg}. 

Lemma 22 Given access control systems S, T, and U, 


T sim S AS sim lA ^ T sim lA 

Ganta V V 

That is, if T admits a Ganta simulation of S, and S admits 
a simulation of lA with properties {SCa, QPa, CTs, Rgg}, 
then T admits a simulation of lA with properties 
{SCa, QPa, CTs, Rgg}. 


Proof: Let S, T, and lA be arbitrary access control systems 
such that T sim S and S simlA. To prove Lemma 1221 we 

Ganta T’ 

must then show that T sim lA. 

V 

Choose an arbitrary state ^ G F^ and command G 'F^, 

and let next{yQ ,1^^) = Let 70 G F*^ such that 

Since S sim lA, 

V 


37f G .{terminal{y^ = 7f A 7^ ~7f) 
Let 7 q” G F^ such that 7^ ~ 7g”. Since T sim S, by 

Ganta 

Property 2 there must exist an equivalent history to 7^ 1—)■ 7f 
in T with an access-correspondent completion state. Thus, 

37 ^ Gr^.(7o^A7rA7f “ 7r) 

Thus, there exists a sequence of T commands 'Fg^ such that 
terminal = yj. Dehne tr^ : x F^^ —>• ('F'G)* 

such that it returns T'A for 7^,^^. This is formed by 
concatenating a sequence of sequences of commands: for 
each command ipf that S needs to execute to simulate 'tff^, 
concatenate the commands that T needs to execute to simulate 

^f- 

Then, given &T^,yJ G G such that 

next{-^,f^) = y^, and y^ ~ yj, 

37^ G V'^ .{terminal{yl ,a.i!{'ip,yl)) =yl Ayf ^ y1) 


Hence, T sim lA. Next we show Rgg. 

{SCa,R->} 

Choose some arbitrary states y'^ ^yj^ G F^ such that 7g” i-G 
yj. Let y^ G F”^ such that y^ ~ yj. Since T sim S, by 

Ganta 

Property 3 there must exist an equivalent history to yj 1—>■ y]' 
in S with an access-correspondent completion state. Thus, 

3 yf eT^.iy^^yf A yf^yT) 

Let 7(/ G F^ such that y^ ~ yQ. Since S sim lA, 






Thus, given 7^,7^ G r’^,7[/ G T^ such that 7g" >->• 7^^ 
and 7^ - -fj, 

37^ G r^.( 7 [/A 7^ A 7^ ^ 7 ^) 


Hence, T sim U. Next we show QPa. 

{SCa,R<->-} 

Choose an arbitrary request r G Ti^ and states 7“® 

V 


r‘^,7^ G pA. Since S simU, 


c^q(A7‘^) = 7“^ I- ' 


Since T sim S, by Property 6, 

Ganta 


VA G TZ^ : aQ{r^, 7^) = 7"^ h A 

Since 5 simlA, by SCa, r G 7 ^“^. Thus, 

V 

<^q(A 7 ^) = 7 ^ 1“ 

Hence, T sim U. Next we show CTs. 

{SCa,QPa,Ro} 

Choose an arbitrary command G and state 7;^ G 
Let: 


• (V'f,---Af) = o-'i'('0^,7o ) 

• 7f = terminal{'-fQ , tpf o ■ ■ ■ o tpf) 

Since S simU, by CTs, 

V 


T sim S. That is, if T is at least as expressive as S with 

Ganta 

respect to properties V, then T admits a Ganta simulation of 
S. 

Proof: Let S and T be arbitrary access control systems 

such that S T. Since S T, for any access control 

system U, if S sim U, then T sim U. 

V V 

Since S can trivially simulate itself, S sim S, and thus 

V 

T sim S. 

V 

By SCa, QPa, and the definition of tr^, we have a Ganta 
scheme mapping from S to T, satisfying Ganta simulation 
Property 1 . 

By R—and the definition of tr^, all histories of S have 
equivalent serial histories of T, satisfying Property 2. 

By Ro and the definition of cr^, all incomplete histories of 
T can be completed serially, and all complete histories of T 
have equivalent histories of S, satisfying Properties 3 - 5 . 

Finally, by QPa and CTs, completion states are access- 
correspondent, and intermediate states are non-contaminating, 
satisfying Property 6. 

These properties define the Ganta simulation, and hence T 
admits a Ganta simulation of S (T sim S). ■ 

Ganta 

Theorem 24 Ganta = {SCa, QPa, CTs, R^}; that is, the 
Ganta simulation decomposes to access correspondence, au- 


reachability. 

Proof: By Lemma 


ma| 23 | if 
if si 


22 


Put simply, is simulated in T by the following sequence 
of commands: 


Lemma 
only 

to (SCa, QPa, CTs, Ro}. 
H. COM Weak Simulation 


if T sim S, then S T- By 

Ganta 


Allowed{'yf) C Allowed{'yQ)\/Allowed{'jf) C Allowed^j^) thorization preservation, anti-contamination, and bidirectional 

for any 7^. 

Furthermore, let: 

• = ot( 7 o ) 

• {i’ll,- ■ -^ilm) = 

• iTfi = terminalinJi^Q, iT,i°---° ilm) 

• li,j = terminalijl^, o • • • o if+^j) 


if S T, tnen T sim S. Thus, S T if and 


Ganta 

sim S, and thus the Ganta simulation decomposes 

Ganta 


A 

n.m 


il,l,---,il,m,i2,l,---,in 

thus passing through the following trace of states: 


For the purposes of this proof, let the set of simulation 
properties V = {SCa, QPa, CDi, R—>}. 

Lemma 25 Given access control systems S, T, and lA, 


Term 


T T 

) 7o,m-l) 7l,0) ■ 


T T 

' 5 7 n—l,m — 7 n ,0 


T sim S AS sim U 

CDMw V 


T sim U 

V 


That is, if T admits a CDM weak simulation of 
S, and S admits a simulation of Li with properties 
{SCa, QPa, CDi, R^}, then T admits a simulation ofU with 

Allowedi'jlj) ^ Allowed{ylf,yAllowed{ylj) C Allowedi^tJ+^^^f^''^^^^ {SCa, QPa, CDi, R-^}. 

Proof: To prove this lemma, we let S, T, and U be access 


Consider an arbitrary state 77" in this trace. Since T sim S, 

'■> Ganta 

by Property 6 


Since S simU, by CTs and SCa, 
V 


control systems such that T sim S and S sim lA but are 

CDMw V 


Allowedi^lff) C Allowed{ylf)yAllowed{ylf) C Allowed{yl 0 ^^’^'^'^^^ arbitraiy, and we show that T simlA. 

„T ir. r,f ,-.,T Choose an arbitrary state 7[/ G F^ and command ij/^ G 


as well as for g in place of y-Q. 
Thus, 


Allowed{'yJj) C Allowed{'yQ ,f)\/ Allowed{'ylj) C Allow ed{'yl^ Q) 
Hence, T sim lA. ■ 

(SCa,QPa,CTs,Ro} 

Lemma 23 Given access control systems S and T and 
simulation properties V = {SCa, QPa, CTs, Ro}, S T => 


and let next{'yQ ,1!^) = 7^. Let 7g G F*^ such that “ 7 o^. 

Since S sim lA, 

„r ^ V 


37f G .{terminal{y^ ,%)) = yf A7^ ~ 7f) 

Let 77 ” G such that 7^ ~ 77 ”. Since T sim S, 

” ” CDMw 


3 yT G r ^.(77 


77 ” A 7 f ~ ) 



Thus, there exists a sequence of T commands such that 
terminali^^ = . Define cr^ ; x —>■ 

such that it returns T'g" for 

Then, given G G such that 

next{-f^, and 7^/ ~ , 

37^ G T'^.{terminal["fl, a-i.i'tj), )) = A ^ ) 

Hence, T sim U. Next, we show QPa. 

{SCa,R->} 

Choose an arbitrary request r G Ti^ and states 7“^ G 

r‘^,7’^ G r’^. Since S simU, 

v 

^Q{r,l^) = A^'rr 

Since T sim S, 

CDMw 

Vr*^ G TZ^ : , 7^) = 7^ h 

Since S simlA, by SCa, r G TZ^. Thus, 

V 

= 1 ^ 'rr 

Hence, T sim U. Next we show CDi. 

{SCa,QPa,R^} 

Since S sim U, by CDi, 3 ct‘"^* : —>• 

v 

('I'‘^)*.(cr^(')/',7) = a‘"^''{ip)) Thus, cr^ maps U commands 
to S commands without considering the state in which they 
will be executed. 

Since T sim S, by weak model containment, S com- 

CDMw 

mands are mapped to T commands without considering the 
state in which they will be executed. Call this mapping . 

Thus, let a' : —>■ o and say 

(Tip (V'^, 7^) = a'{tp^). This forms a command mapping that 
satisfies CDi. 

Hence, T sim U. ■ 

V 

Lemma 26 Given access control systems S and T and 
simulation properties V = {SCa, QPa, CDi, R— ^}, S r ^ 

T sim S. That is, if T is at least as expressive as S with 

CDMw 

respect to properties V, then T admits a CDM weak simulation 
of S. 

Proof: To prove this lemma, we let S and T be arbitrary 
access control systems such that S T, and we show that 
T sim S. 

CDMw 

Since S T, for any access control system U, if S sim U, 
then T sim U. 

V 

Since S can trivially simulate itself, S sim S, and thus 

v 

T sim S. 

V 

Thus, given 7o,7f G r‘^,7^ G T^, by SCa and R—>, if 
7^ ^ 7o" and 7o ^ 7f, then 

37 r-( 7 o^^ 7 rA 7 f “ 7 ^) 

By CDi, 


This relation is thus a weak access-containment relation, 
which satisfies the definition for a CDM weak simulation, and 
hence T admits a CDM weak simulation of S (T sim S). 

CDMw 


Theorem 27 CDMw = (SCa, QPa, CDi, R—^}; that is, the 
CDM weak simulation decomposes to authorization corre¬ 
spondence, authorization preservation, independent command 
mapping, and forward reachability. 


Lemma 


Proof: By Lemma 25 

if 5 r *en r 


26 


if T sim S, then S T. By 

CDMw 

sim S. Thus, S T if 

CDMw 


and onl\nf T sim S, and thus the CDM weak simulation 

CDMw 

decomposes to {SCa, QPa, CDi, R—?>}. ■ 


1 . CDM Strong Simulation 

For the purposes of this proof, let the set of simulation 
properties V = {SCa, QPa, CDi, CSl, R—>}. 

Lemma 28 Given access control systems S, T, and LI, 

T sim S AS sim U => T sim U 

CDMs V V 

That is, if T admits a CDM strong simulation of 
S, and S admits a simulation of Li with properties 
{SCa, QPa, CDi, CSl, R^}, then T admits a simulation of 
hi with properties {SCa, QPa, CDi, CSl, R—>}. 

Proof: To prove this lemma, we let S, T, and U be access 
control systems such that T sim S and S sim U but are 

CDMs V 

Otherwise arbitrary, and we show that T sim U. 

Choose an arbitrary state 7 [/ G T^ and command G 

and let nextff^ Let 7 g G T*^ such that ^ - 7o^- 

Since S sim U, 

V 

37f G .{terminaliAQ = 7f A7^ ~7f) 

Let yT G L"^ such that 7^ ~ yT. Since T sim S, 

^ ^ ^ CDMs 

3 yT GT^-iyJ^yT 

Thus, there exists a T command iP'q such that next{yj, ) = 
yl. Define a^s, : x T^ -A such that it returns for 

Then, given y^ ,yi Gl^^yJ G G such that 

next{y^,fP‘) = y^, and y^ ~ y^, 

3 yT G r'''.{next{yJ,a^,{tjj,yJ)) = yj A yf yl) 

Hence, T sim U. Next, we show QPa. 

{SCa.R-i.} 

Choose an arbitrary request r G TZf' and states y^ G 

r‘^, 7 ^ G r^. Since S sim U, 

V 

(^Q{r,y^) = y^ Cr 

Since T sim S, 

CDMs 




Vr*^ G TZ^ : aqfr^, y'^) = 7"^ h 




Since S simU, by SCa, r G 7Z^. Thus, 

V 

Hence, T sim U. Next we show CDi and CSl. 

{SCa,QPa,R-i.} 

Since S sim U, by CDi and CSl, —>• 

V 

= Thus, cr^ maps U commands to 

S commands without considering the state in which they will 
be executed. 

Since T sim S, by strong model containment, S com- 

CDMs 

mands are mapped to single T commands without considering 
the state in which they will be executed. Call this mapping 

^CDM 

Thus, let a' : ^ o and say 

CTij. , 7 ^) = a'{tp^). This forms a command mapping that 
satisfies CDi and CSl. 

Hence, T sim U. ■ 

V 

Lemma 29 Given access control systems S and T and 
simulation properties V = {SCa, QPa, CDi, CSl, R—^}, S 
T ^ T sim S. That is, if T is at least as expressive as S 

CDMs 

with respect to properties V, then T admits a CDM strong 
simulation of S. 

Proof: To prove this lemma, we let S and T be arbitrary 
access control systems such that S T, and we show that 
T sim S. 

CDMs 

Since S T, for any access control system U, if S sim U, 

then T sim U. 

V 

Since S can trivially simulate itself, S sim S, and thus 

V 

T sim S. 

V 

Thus, given 7o,7f C r‘^, 7 Q" S T^, by SCa and R—>, if 
7^ ^ lo and 7o ^ 7f . then 

37 r-( 7 o^^ 7 r A 7 f “ 7 ^) 

By CDi and CSl, 

—)■ 7) = a^^\tf})) 

This relation is thus a strong access-containment relation, 
which satisfies the definition for a CDM strong simulation, and 
hence T admits a CDM strong simulation of S (T sim S). 

CDMs 


Theorem 30 CDMs = {SCa, QPa, CDi, CSl, R^-}; that is, 
the CDM strong simulation decomposes to authorization corre¬ 
spondence, authorization preservation, independent command 
mapping, lock-step, and forward reachability. 



decomposes to {SCa, QPa, CDi, CSl, R-^}. ■ 




